Hello, This issue has been sorted out and the to_syslog_snare() formatter should now produce more snare compliant output, to be released in the next version. Since there were a couple other users complaining earlier, thought I'd mention that if there is interest , I'll provide a snapshot version to test so that you don't have to wait until the official release, and in case there are still issues with it that need to be tweaked.
Regards, Botond On Thu, 3 Apr 2014 18:07:29 +0000 "Jones, Jordan - NITC, Kansas City, MO" <jordan.jo...@ocio.usda.gov> wrote: > I am attempting to use the SNARE Output option to forward events to our SIEM. > The problem I am encountering is Nxlog replaces the "Snare Event Counter" > field with "N/A". This is causing the events being sent to the SIEM to be > dropped since the parser is looking for an integer instead of the string that > is used by Nxlog. > > I've found the line that produces this output in Nxlog source code... > > // 5. Snare Event Counter > // we could use module->evt_recvd here, but is complicated so this is set > to N/A > nx_string_append(logdata->raw_event, "N/A", -1); > nx_string_append(logdata->raw_event, delimiterstr, 1); > > > I figure I can change the code and recompile, but I'm figuring that there has > to be a simpler way. Using the standard config that Nxlog provides is there > any way I can mod the config to insert a integer? > > > #define ROOT C:\Program Files\nxlog > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > <Extension syslog> > Module xm_syslog > </Extension> > > <Input internal> > Module im_internal > </Input> > > <Input eventlog> > Module im_msvistalog > </Input> > > <Output out> > Module om_tcp > Host 192.168.33.45 > Port 514 > Exec to_syslog_snare(); > </Output> > > <Route 1> > Path eventlog, internal => out > </Route> > Respectfully, > Jordan D. Jones > > > > > > This electronic message contains information generated by the USDA solely for > the intended recipients. Any unauthorized interception of this message or the > use or disclosure of the information it contains may violate the law and > subject the violator to civil or criminal penalties. If you believe you have > received this message in error, please notify the sender and delete the email > immediately. ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
