Hi Marvin, I'm not sure which one is the 'log type' column. The SourceName field is put into the 8th column in the snare format (i.e. Microsoft-Windows-Security-Auditing). See the function nx_logdata_to_syslog_snare in src/modules/extension/syslog/syslog.c
So it's either a bug or problem in the formatter above or the required field is not present (because your input source is not im_mseventlog). Hope this will help you identify the cause. Regards, Botond On Fri, 31 May 2013 20:08:05 +0000 Marvin Nipper <[email protected]> wrote: > Hi Botond. I know that this has been asked before, but I thought that I > would (stupidly) ask again. I see that SNARE, running on a W2K8R2 server, > will fill in the log type column for every line it generates (i.e. Security, > System, Application, DNS, etc.), but as discussed in a previous thread, nxlog > is not populating that column in the logs (when using, in my case, the > to_syslog_snare capability). I'm thinking that this information has to be > available (as SNARE obviously finds it), but because nxlog isn't populating > it, it causes issues with our upstream SIEM components. > > Certainly (as you pointed out before), at least for Security events, that it > could potentially be discerned from other data in the line (e.g. > "Microsoft-Windows-Security-Auditing"), but with other event types, that > really isn't possible (unless you start coding gynormously complex > expressions, to attempt to account for "every possible system or application > component in the known-universe", in order to try to "guess" at the nature of > the log. > > So... (as if it was not already obvious), I guess I'm asking again, why it > isn't possible for nxlog to correctly discern the nature of the log source, > and always populate that value in the resulting output? > > And I would question whether everything within the "Application and Services" > Event Log tree, shouldn't also be tagged as an "Application" log? > > Sorry, again, for asking. I'm just really trying to find a way to use nxlog > to transparently migrate from away from a snare-based agent, but without it > looking "more like snare", than is currently the case, it will make that > effort significantly more difficult. > > Thanks for your time and consideration. > > Marvin > > The information transmitted, including any content in this communication is > confidential, is intended only for the use of the intended recipient and is > the property of The Western Union Company or its affiliates and subsidiaries. > If you are not the intended recipient, you are hereby notified that any use > of the information contained in or transmitted with the communication or > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, please notify > the Western Union sender immediately by replying to this message and delete > the original message > ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ nxlog-ce-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
