Hello,
There were some posts earlier about the snare format and qradar
compatibility. If you search the list archives you should find some posts
that may help, there were even config files attached afair.
Regards,
Botond
On Wed, 18 Dec 2013 14:48:11 -0800
Tim Washburn <tim_washb...@bio-rad.com> wrote:
> Hi All
>
> I've got nxlog install on a Windows Server 2008R2 Domain Controller. I
> been writing out to a file for debugging purposes and have been able to
> trim out those events the had little or no value. However I'm now working
> on how to get rid of "N/A" that is appearing in the event logs. The
> following snippets show up as a single file without CR's or LB's, I've
> added some here for readability only. Once this get to the SEIM it is
> lost as the SEIM (QRadar) does not know what to do with the events as the
> events don't appear to be standard syslog format.
>
> ++++++++++++++++++++++++++++++++++
> samples
> ++++++++++++++++++++++++++++++++++
> N/A<14>Dec 18 20:48:45 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog 2
> N/A N/A Wed Dec 18 20:48:45 2013 7036 Service Control
> Manager N/A N/A INFO DRMARDC102.Global.Bio-Rad.Com N/A
> EventTime=2013-12-18 20:48:45 Hostname=DRMARDC102.Global.Bio-Rad.Com
> Keywords=-9187343239835811840 EventType=INFO SeverityValue=2 Severity=INFO
> EventID=7036 SourceName='Service Control Manager'
> ProviderGuid={555908D1-A6D7-4695-8E1E-26931D2012F4} Version=0 Task=0
> OpcodeValue=0 RecordNumber=637429 ProcessID=504 ThreadID=5724
> Channel=System Message='The nxlog service entered the stopped state.'
> param1=nxlog param2=stopped EventReceivedTime=2013-12-18 20:53:20
> SourceModuleName=in SourceModuleType=im_msvistalog
>
> N/A<14>Dec 18 20:49:02 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog
> 2 N/A N/A Wed Dec 18 20:49:02 2013 256
> vmStatsProvider N/A N/A INFO DRMARDC102.Global.Bio-Rad.Com
> General EventTime=2013-12-18 20:49:02
> Hostname=DRMARDC102.Global.Bio-Rad.Com Keywords=36028797018963968
> EventType=INFO SeverityValue=2 Severity=INFO EventID=256
> SourceName=vmStatsProvider Task=1 RecordNumber=944804 ProcessID=0
> ThreadID=0 Channel=Application Message='The "vmStatsProvider" is
> successfully initialized for this Virtual Machine. WMI namespace:
> "root\CIMV2".' Category=General Opcode=Info EventReceivedTime=2013-12-18
> 20:53:21 SourceModuleName=in SourceModuleType=im_msvistalog
>
> N/A<14>Dec 18 20:49:02 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog
> 2 N/A N/A Wed Dec 18 20:49:02 2013 8002
> Microsoft-Windows-NTLM SYSTEM User INFO DRMARDC102.Global.Bio-Rad.Com
> Auditing NTLM EventTime=2013-12-18 20:49:02
> Hostname=DRMARDC102.Global.Bio-Rad.Com Keywords=-9223372036854775808
> EventType=INFO SeverityValue=2 Severity=INFO EventID=8002
> SourceName=Microsoft-Windows-NTLM
> ProviderGuid={AC43300D-5FCC-4800-8E99-1BD3F85F0320} Version=0 Task=2
> OpcodeValue=0 RecordNumber=15883545 ProcessID=512 ThreadID=5856
> Channel=Microsoft-Windows-NTLM/Operational Domain='NT AUTHORITY'
> AccountName=SYSTEM UserID=SYSTEM AccountType=User Message='NTLM server
> blocked audit: Audit Incoming NTLM Traffic that would be blocked Calling
> process PID: 4 Calling process name: Calling process LUID: 0x3e7
> Calling process user identity: DRMARDC102$ Calling process domain
> identity: GLOBAL Mechanism OID: 1.3.6.1.4.1.311.2.2.10 Audit NTLM
> authentication requests to this server that would be blocked if the
> security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is
> set to Deny all accounts or Deny all domain accounts. If you want this
> server to allow NTLM authentication, set the security policy Network
> Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.'
> Category='Auditing NTLM' Opcode=Info CallerPID=4 ClientLUID=0x3e7
> ClientUserName=DRMARDC102$ ClientDomainName=GLOBAL
> MechanismOID=1.3.6.1.4.1.311.2.2.10 EventReceivedTime=2013-12-18 20:53:21
> SourceModuleName=in SourceModuleType=im_msvistalog
>
> +++++++++++++++++++++++++++++++++++++++++++
> nxlog config
> +++++++++++++++++++++++++++++++++++++++++++
> define ROOT C:\Program Files (x86)\nxlog
>
> Moduledir %ROOT%\modules
> CacheDir %ROOT%\data
> Pidfile %ROOT%\data\nxlog.pid
> SpoolDir D:\syslog_data\data
> LogFile D:\syslog_data\data\nxlog.log
>
> # Include fileop while debugging, also enable in the output module below
> <Extension fileop>
> Module xm_fileop
> </Extension>
>
> <Extension kvp>
> Module xm_kvp
> KVDelimiter =
> KVPDelimiter \t
>
> </Extension>
>
> <Extension syslog>
> Module xm_syslog
> </Extension>
>
> <Input in>
> Module im_msvistalog
> Exec if ($EventType == 'VERBOSE') OR($Channel ==
> 'Microsoft-Windows-GroupPolicy') OR ($Channel == 'Application') \
> OR ($EventID == 8002) OR ($EventID == 8245) OR ($EventID == 1111)
> OR ($EventID == 102) OR ($EventID == 200) OR ($EventID == 203) OR
> ($EventID == 101) OR ($EventID == 311)\
> OR ($EventID == 5312) OR ($EventID == 5313) OR ($EventID == 5857)
> OR ($EventID == 5315) OR ($EventID == 5145) OR ($EventID == 5156) OR
> ($EventID == 5140)\
> OR ($EventID == 4656) OR ($EventID == 4661) OR ($EventID == 4697)
> OR ($EventID == 4698) OR ($EventID == 4699) OR ($EventID == 4700) OR
> ($EventID == 4701)\
> OR ($EventID == 4702) OR ($EventID == 4928) OR ($EventID == 4929)
> OR ($EventID == 4930) OR ($EventID == 4931) OR ($EventID == 4932) OR
> ($EventID == 4658)\
> OR ($EventID == 4933) OR ($EventID == 4933) OR ($EventID == 4935)
> OR ($EventID == 4936) OR ($EventID == 4937) OR ($EventID == 602) OR
> ($EventID == 4016 )\
> OR ($EventID == 4611) OR ($EventID == 4688) OR ($EventID == 4689)
> OR ($EventID == 4696) OR ($EventID == 1704) OR ($EventID == 704) drop() ;
> ReadFromLast TRUE
> </Input>
>
>
> <Output qradar>
>
> Module om_tcp
> Host 10.1.249.38
> PORt 514
> Exec kvp->to_kvp(); $Message = $raw_event; to_syslog_snare();
> Exec file_write("D:\\syslog_data\\data\\nxlog_output_7.log",
> $raw_event);
> </Output>
>
> <Route 1>
> Path in => qradar
> </Route>
>
> Regards
> Tim Washburn
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
