Hi guys,
i'm currently testing nxlog compatibility with HP ArcSight and the
to_syslog_snare() Output.
The only problem I still have is that the output additionally contains syslog
header info "USER.INFO: Sep 8 11:58:15".
Is there any possibility to suppress this additional information?
Nxlog Message with to_syslog_snare():
nxlog:
3 0.002294 192.168.0.65 192.168.0.184 Syslog 553
USER.INFO: Sep 8 11:58:15 Mikel-DELL MSWinEventLog\t1\tSecurity\t11\tMon Sep
8 11:58:15 2014\t4719\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess
Audit\tMikel-DELL\tAudit Policy Change\t\tSystem audit policy was changed.
Subject: Security ID: S-1-5-18 Account Name: MIKEL-DELL$ Account
Domain: WORKGROUP Logon ID: 0x3e7 Audit Policy Change: Category:
Account Logon Subcategory: Other Account Logon Events Subcategory GUID:
{0CCE9241-69AE-11D9-BED3-505054503030} Changes: Success Added\t585529
Compared with the same message parsed by snare which is detected correctly by
our SIEM:
Snare:
3 0.002904 192.168.0.65 192.168.0.184 Syslog 550
MIKEL-DELL\tMSWinEventLog\t3\tSecurity\t63\tMo Sep 08 10:13:47
2014\t4719\tMicrosoft-Windows-Security-Auditing\tWORKGROUP\MIKEL-DELL$\tN/A\tSuccess
Audit\tMikel-DELL\tAudit Policy Change\t\tSystem audit policy was changed.
Subject: Security ID: S-1-5-18 Account Name: MIKEL-DELL$ Account
Domain: WORKGROUP Logon ID: 0x3e7 Audit Policy Change: Category:
Account Logon Subcategory: Other Account Logon Events Subcategory GUID:
{0CCE9241-69AE-11D9-BED3-505054503030} Changes: Success removed\t55 \n
Mit freundlichen Grüßen / Kind regards
Simon
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
