For me it was a brand new installation which I used the most current
version. For testing, i did use the old version which gave me the same
results. For some reason the logs are being viewed as generic syslog and
not the snare formatted syslog so ArcSight can not parse it. Again It came
in at one time as snare syslog but all of the sudden it stopped even though
my conf file is set up for snare syslog. Does anyone have an example of a
config that is successfully sending Windows event logs in the snare format?
<Extension syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast True
Query <QueryList>\
<Query Id="0" Path="Security">\
<Select Path="Security">*[System[( (EventID >= 4624 and EventID
<= 4625) or EventID=4647 or (EventID >= 4720 and EventID <=
4760) or (EventID >= 4778 and EventID <= 4779) or EventID=4781 or
(EventID >= 4800 and EventID <= 4803) )]]</Select>\
<Select
Path="Microsoft-Windows-Dhcp-Client/Operational">*[System[(EventID=50028)]]</Select>\
<Select
Path="Microsoft-Windows-UnifiedWriteFilter/Operational">*[System[(EventID=1001
or EventID=1002)]]</Select>\
<Select Path="Microsoft-Windows-Windows
Defender/Operational">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_tcp
Host 10.170.1.77
Port 514
Exec to_syslog_snare();
</Output>
On Mon, Aug 4, 2014 at 7:54 AM, Botond Botyanszki <b...@nxlog.org> wrote:
> Hi,
>
> If you have upgraded from the previous release , this could be causing it.
> You may want to downgrade and check with version 2.7.1191
> http://nxlog.org/older-releases/nxlog-ce-2.7.1191.msi
> I'd be interested to see what's breaking it.
>
> Regards,
> Botond
>
>
> On Mon, 4 Aug 2014 07:49:33 -0400
> Josh Vigil <jvigil6...@gmail.com> wrote:
>
> > I am currently using the latest 2.8.1248 version. It was strange that I
> had
> > it working at one point then all of the sudden it stopped.
> >
> > Thanks
> > Josh
> >
> >
> > On Mon, Aug 4, 2014 at 4:46 AM, Botond Botyanszki <b...@nxlog.org>
> wrote:
> >
> > > Hi Josh,
> > >
> > > On Fri, 1 Aug 2014 14:14:05 -0400
> > > Josh Vigil <jvigil6...@gmail.com> wrote:
> > >
> > > > however at one time it was correctly being identified as snare and
> was
> > > > parsed. Nothing has changed in the config or the endpoint.
> > >
> > > Have you upgraded to the latest release? The enhanced snare formatter
> is
> > > supposed to work better with various SIEMs, at least QRadar and
> LogLogic
> > > have been tested, though it is possible that this is causing an issue
> > > with ArcSight.
> > >
> > > Regards,
> > > Botond
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Infragistics Professional
> > > Build stunning WinForms apps today!
> > > Reboot your WinForms applications with our WinForms controls.
> > > Build a bridge from your legacy apps to the future.
> > >
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > nxlog-ce-users mailing list
> > > nxlog-ce-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
> > >
>
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
