Re: [nxlog-ce-users] How to forward Windows EventData from im_msvistalog/sysmon to Linux syslog server

Tue, 12 Aug 2014 14:54:34 -0700 

On 8/11/2014 5:58 AM, fra...@hush.com wrote:
> I can get the full parameter set in XML format. Unfortunately I've 
> found no usefull hint in the nxlog documentation how to extract 
> data fields like
>
> - TargetFilename
> - Image
> - CommandLine
> - ParentCommandLine
>
> $raw_event and $Message do not contain this data.

We handle this by transmitting in Binary and storing in JSON format, though XML 
would work
as well.  The output file is monitored by SEC, which uses a PerlFunc to flatten 
the JSON
structure into a hash:

type=Single
ptype=PerlFunc
pattern=sub { \
  chomp($_[0]); my($ptr) = JSON::decode_json($_[0]);  \
  %WINDOWS = (); flatten($ptr, \%WINDOWS, "");  \
  $WINDOWS{SourceName} =~ s/^Microsoft-Windows-//; \
  return \%WINDOWS; }
varmap=WINDOWS
desc=Parse JSON Windows Event
continue=TakeNext
action=none

The referenced flatten routine was pulled from an example posted on the SEC 
mailing list
by the SEC author, included below.

use JSON;

sub flatten {
    my $ref = $_[0]; 
    my $ret = $_[1]; 
    my $prefix = $_[2]; 

    if (ref($ref) eq "HASH") { 
        for my $key (keys %{$ref}) { 
            if (ref($ref->{$key}) eq "") { 
                $ret->{$prefix . $key} = $ref->{$key}; 
            }
            elsif (ref($ref->{$key}) eq "HASH") { 
                flatten($ref->{$key}, $ret, $prefix . $key . "!"); 
            }
            elsif (ref($ref->{$key}) eq "ARRAY") { 
                flatten($ref->{$key}, $ret, $prefix . $key . "!"); 
            }
            else { 
                $ret->{$prefix . $key} = ${$ref->{$key}}; 
            } 
        } 
    }
    elsif (ref($ref) eq "ARRAY") { 
        for (my $i = 0; $i < scalar(@{$ref}); ++$i) { 
            if (ref($ref->[$i]) eq "") { 
                $ret->{$prefix . $i} = $ref->[$i]; 
            }
            elsif (ref($ref->[$i]) eq "HASH") { 
                flatten($ref->[$i], $ret, $prefix . $i . "!"); 
            }
            elsif (ref($ref->[$i]) eq "ARRAY") { 
                flatten($ref->[$i], $ret, $prefix . $i . "!"); 
            }
            else { 
                $ret->{$prefix . $i} = ${$ref->[$i]}; 
            } 
        } 
    } 
} 

After this machinery is in place, the various rulesets that follow the initial 
rule can
reference the %WINDOWS hash in their own PerlFunc rules.  For example:

type=Suppress
ptype=PerlFunc
pattern=sub { $WINDOWS{SourceName} =~ /^(?:DCOM|WinMgmt)$/i and 
$WINDOWS{EventType} =~
/^(?:WARNING|ERROR)$/i };

I realize this is just a limited set of examples, but it provides a taste of 
what is
possible.  I would never want to go back to parsing text formatted events.

Regards,
Mark

------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to