Hi, Thanks for the suggestions regarding the snare format. On one hand you are right that if would enhance compatibility, on the other hand N/A is used for all fields so we could also say that the OSSEC snare decoder isn't perfect either. BTW, a similar case is W3C where the '-' character (N/A equivalent) is allowed for fields which are undefined.
There were several earlier suggestions regarding the snare format produced by to_syslog_snare() and all that is not forgotten. It's just that polishing the snare format isn't top priority since it is an old looser format that the world is moving away from and there are far more important features which are important to the users of nxlog. Most of the snare format modifications would be quite trivial though. If you or someone wants a sponsored development on this, feel free to get in touch. Regards, Botond On Wed, 16 Oct 2013 17:11:56 -0500 Michael Starks <nxlog-l...@michaelstarks.com> wrote: > Hello everyone, > > I wanted to pop in and say how impressed I am with nxlog. I really like > the architecture and philosophy on how it is compartmentalized and tries > to maintain structured data throughout the transaction. That makes > perfect sense. > > Anyway, I am testing out the Windows agent Snare compatibility and I > noticed something that I want to make a suggestion about. The Snare > format is documented in Appendix A of the Guide to Snare for Windows > (http://www.intersectalliance.com/resources/Documentation/Guide_to_Snare_for_Windows-4.1.2.pdf). > > In reviewing the nxlog interpretation, I discovered that certain > fields, such as the Snare event counter field, are stamped as N/A in > nxlog. I see why. It's not really Snare so it really is N/A, but the > problem is that it may not be interpreted correctly by log analysis > tools. For example, I am rewriting the Snare decoder in OSSEC and I have > to account for a non-numeric field in order for nxlog-formatted Snare to > work properly. I think it would be better if nxlog stuck to the expected > data type and just put something like 0 in those fields. > > So there's my suggestion. Thanks again for a great product and for > making it open source. > > -Michael > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > _______________________________________________ > nxlog-ce-users mailing list > nxlog-ce-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
