I am attempting to use the SNARE Output option to forward events to our SIEM.
The problem I am encountering is Nxlog replaces the "Snare Event Counter" field
with "N/A". This is causing the events being sent to the SIEM to be dropped
since the parser is looking for an integer instead of the string that is used
by Nxlog.
I've found the line that produces this output in Nxlog source code...
// 5. Snare Event Counter
// we could use module->evt_recvd here, but is complicated so this is set
to N/A
nx_string_append(logdata->raw_event, "N/A", -1);
nx_string_append(logdata->raw_event, delimiterstr, 1);
I figure I can change the code and recompile, but I'm figuring that there has
to be a simpler way. Using the standard config that Nxlog provides is there
any way I can mod the config to insert a integer?
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 192.168.33.45
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
Respectfully,
Jordan D. Jones
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
immediately.
------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
