How are you currently getting the logs to the parser? Are you adding any additional fields?
We use NXLog to send windows logs as syslog and we do some minor transforms in order to clean it up, such as substituting tabs with spaces and adding the event ID at the end (which isn't there by default). I should be able to provide some cleaned samples from my environment. Jon On Wed, Oct 5, 2016 at 10:17 AM Tseytlin, Keren < [email protected]> wrote: > Cool. I can work on it in my spare time. Additional log files would be > incredibly useful, or else this parser will be very specific to our use > case – which is unlikely to be particularly useful to the larger population. > > Keren > > On 10/5/16, 9:53 AM, "Nick Allen" <[email protected]> wrote: > > That would be great, Keren. Let us know what you need to make that > happen. > > I think it would also be useful, if we could get anonymized test data > from > multiple organizations using Active Directory. That will help us > ensure > that the AD parser is broadly useful and not specific to one > organization's > AD installation. If anyone else has AD logs that they could anonymize > and > contribute, please chime in! > > On Wed, Oct 5, 2016 at 9:39 AM, Tseytlin, Keren < > [email protected]> wrote: > > > Hi All, > > > > We have an active directory parser that is currently in production. > We > > would be happy to contribute it and work with whoever to make it > generic ☺ > > > > Best, > > Keren > > > > On 10/3/16, 5:58 PM, "[email protected]" <[email protected]> wrote: > > > > +1 in need of. No current effort because it is not our primary > kerb > > realm, > > but we could use it. > > > > On Mon, Oct 3, 2016, 17:18 James Sirota <[email protected]> > wrote: > > > > > I've seen traffic come through about multiple efforts for > writing > > the AD > > > parser for Metron. I'd like to consolidate these efforts so > that we > > can > > > come up with a generic parser that is suitable for everyone's > needs > > and > > > that we don't duplicate effort. Please post to this thread if > you > > are > > > working or are in need of the AD parser. We can then throw a > > working group > > > together and get the parser written and tested with everyone's > > telemetry. > > > Also, please indicate if you are able to provide sample > (anonymized) > > logs. > > > If you are getting these logs from your corporate environment > please > > check > > > with your security office first prior to posting them. > > > > > > ------------------- > > > Thank you, > > > > > > James Sirota > > > PPMC- Apache Metron (Incubating) > > > jsirota AT apache DOT org > > > > > -- > > > > Jon > > > > > > ________________________________________________________ > > > > The information contained in this e-mail is confidential and/or > > proprietary to Capital One and/or its affiliates and may only be used > > solely in performance of work or services for Capital One. The > information > > transmitted herewith is intended only for use by the individual or > entity > > to which it is addressed. If the reader of this message is not the > intended > > recipient, you are hereby notified that any review, retransmission, > > dissemination, distribution, copying or other use of, or taking of > any > > action in reliance upon this information is strictly prohibited. If > you > > have received this communication in error, please contact the sender > and > > delete the material from your computer. > > > > > > -- > Nick Allen <[email protected]> > > > ________________________________________________________ > > The information contained in this e-mail is confidential and/or > proprietary to Capital One and/or its affiliates and may only be used > solely in performance of work or services for Capital One. The information > transmitted herewith is intended only for use by the individual or entity > to which it is addressed. If the reader of this message is not the intended > recipient, you are hereby notified that any review, retransmission, > dissemination, distribution, copying or other use of, or taking of any > action in reliance upon this information is strictly prohibited. If you > have received this communication in error, please contact the sender and > delete the material from your computer. > -- Jon
