Hi Michael, you may run into some other things that are "different" in terms of the SNARE output. Assuming that they come thru, I've attached two include files out of my environment (one for pre-Vista, and then the Vista version). I've sort of compartmentalized a lot of the configuration file components so as to make the root configuration file very simple, and these are just two of the include files, out of the larger set of files, so there are some variables here (e.g. for the desired log sources) that get filled in elsewhere, but I don't think that matters much. The real point is the work done in the Exec statements, which attempts to build output content that looks (almost?) identical to the standard SNARE output. Maybe this will be of some use to you.
(I also have a system that knows how to "eat standard SNARE" output, and also expected everything to be "just like SNARE", so that's how/why I ended up coding this reformatting logic.) And, FWIW, I echo your sentiment about nxlog. We just have our "toe in the water" at this point, with respect to using it, but it seems to have an almost unbelievable amount of flexibility. Anyway, I hope you find these useful. Marvin -----Original Message----- From: Michael Starks [mailto:nxlog-l...@michaelstarks.com] Sent: Wednesday, October 16, 2013 4:12 PM To: nxlog-ce-users@lists.sourceforge.net Subject: [nxlog-ce-users] Hello and Suggestion Hello everyone, I wanted to pop in and say how impressed I am with nxlog. I really like the architecture and philosophy on how it is compartmentalized and tries to maintain structured data throughout the transaction. That makes perfect sense. Anyway, I am testing out the Windows agent Snare compatibility and I noticed something that I want to make a suggestion about. The Snare format is documented in Appendix A of the Guide to Snare for Windows (http://www.intersectalliance.com/resources/Documentation/Guide_to_Snare_for_Windows-4.1.2.pdf). In reviewing the nxlog interpretation, I discovered that certain fields, such as the Snare event counter field, are stamped as N/A in nxlog. I see why. It's not really Snare so it really is N/A, but the problem is that it may not be interpreted correctly by log analysis tools. For example, I am rewriting the Snare decoder in OSSEC and I have to account for a non-numeric field in order for nxlog-formatted Snare to work properly. I think it would be better if nxlog stuck to the expected data type and just put something like 0 in those fields. So there's my suggestion. Thanks again for a great product and for making it open source. -Michael ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users ---------------------------------------------------------------------- The information transmitted, including any content in this communication is confidential, is intended only for the use of the intended recipient and is the property of The Western Union Company or its affiliates and subsidiaries. If you are not the intended recipient, you are hereby notified that any use of the information contained in or transmitted with the communication or dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the Western Union sender immediately by replying to this message and delete the original message
WinnewModule.conf
Description: WinnewModule.conf
WinoldModule.conf
Description: WinoldModule.conf
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
