Hi Josh, I don't see anything wrong with your conf. It could be that ArcSight sees something wrong in the snare input and decides to switch back to plain syslog.
Regards, Botond On Mon, 4 Aug 2014 10:36:12 -0400 Josh Vigil <jvigil6...@gmail.com> wrote: > For me it was a brand new installation which I used the most current > version. For testing, i did use the old version which gave me the same > results. For some reason the logs are being viewed as generic syslog and > not the snare formatted syslog so ArcSight can not parse it. Again It came > in at one time as snare syslog but all of the sudden it stopped even though > my conf file is set up for snare syslog. Does anyone have an example of a > config that is successfully sending Windows event logs in the snare format? > > <Extension syslog> > Module xm_syslog > </Extension> > > <Input eventlog> > Module im_msvistalog > ReadFromLast True > Query <QueryList>\ > <Query Id="0" Path="Security">\ > <Select Path="Security">*[System[( (EventID >= 4624 and EventID > <= 4625) or EventID=4647 or (EventID >= 4720 and EventID <= > 4760) or (EventID >= 4778 and EventID <= 4779) or EventID=4781 or > (EventID >= 4800 and EventID <= 4803) )]]</Select>\ > <Select > Path="Microsoft-Windows-Dhcp-Client/Operational">*[System[(EventID=50028)]]</Select>\ > <Select > Path="Microsoft-Windows-UnifiedWriteFilter/Operational">*[System[(EventID=1001 > or EventID=1002)]]</Select>\ > <Select Path="Microsoft-Windows-Windows > Defender/Operational">*</Select>\ > </Query>\ > </QueryList> > </Input> > > <Output out> > Module om_tcp > Host 10.170.1.77 > Port 514 > Exec to_syslog_snare(); > </Output> > > > On Mon, Aug 4, 2014 at 7:54 AM, Botond Botyanszki <b...@nxlog.org> wrote: > > > Hi, > > > > If you have upgraded from the previous release , this could be causing it. > > You may want to downgrade and check with version 2.7.1191 > > http://nxlog.org/older-releases/nxlog-ce-2.7.1191.msi > > I'd be interested to see what's breaking it. > > > > Regards, > > Botond > > > > > > On Mon, 4 Aug 2014 07:49:33 -0400 > > Josh Vigil <jvigil6...@gmail.com> wrote: > > > > > I am currently using the latest 2.8.1248 version. It was strange that I > > had > > > it working at one point then all of the sudden it stopped. > > > > > > Thanks > > > Josh > > > > > > > > > On Mon, Aug 4, 2014 at 4:46 AM, Botond Botyanszki <b...@nxlog.org> > > wrote: > > > > > > > Hi Josh, > > > > > > > > On Fri, 1 Aug 2014 14:14:05 -0400 > > > > Josh Vigil <jvigil6...@gmail.com> wrote: > > > > > > > > > however at one time it was correctly being identified as snare and > > was > > > > > parsed. Nothing has changed in the config or the endpoint. > > > > > > > > Have you upgraded to the latest release? The enhanced snare formatter > > is > > > > supposed to work better with various SIEMs, at least QRadar and > > LogLogic > > > > have been tested, though it is possible that this is causing an issue > > > > with ArcSight. > > > > > > > > Regards, > > > > Botond > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Infragistics Professional > > > > Build stunning WinForms apps today! > > > > Reboot your WinForms applications with our WinForms controls. > > > > Build a bridge from your legacy apps to the future. > > > > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk > > > > _______________________________________________ > > > > nxlog-ce-users mailing list > > > > nxlog-ce-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users > > > > > > ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
