Re: [nxlog-ce-users] nxlog to_syslog_snare() suppress USER.INFO: Sep 8 11:58:15

Mon, 08 Sep 2014 10:09:12 -0700 

Hi Simon,

The "USER.INFO:" header is coming from somewhere else, the
to_syslog_snare() procedure does not add this.
Without knowing your setup and config it is not possible to guess where
this extra header gets injected.

Regards,
Botond

On Mon, 8 Sep 2014 13:01:45 +0200
<simon.hae...@t-systems.com> wrote:

> Hi guys,
> i'm currently testing nxlog compatibility with HP ArcSight and the 
> to_syslog_snare() Output.
> The only problem I still have is that the output additionally contains syslog 
> header info "USER.INFO: Sep  8 11:58:15".
> Is there any possibility to suppress this additional information?
> 
> Nxlog Message with to_syslog_snare():
> nxlog:
> 3       0.002294        192.168.0.65    192.168.0.184   Syslog  553     
> USER.INFO: Sep  8 11:58:15 Mikel-DELL MSWinEventLog\t1\tSecurity\t11\tMon Sep 
>  8 11:58:15 
> 2014\t4719\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess 
> Audit\tMikel-DELL\tAudit Policy Change\t\tSystem audit policy was changed.    
> Subject:   Security ID:  S-1-5-18   Account Name:  MIKEL-DELL$   Account 
> Domain:  WORKGROUP   Logon ID:  0x3e7    Audit Policy Change:   Category:  
> Account Logon   Subcategory:  Other Account Logon Events   Subcategory GUID: 
> {0CCE9241-69AE-11D9-BED3-505054503030}   Changes:  Success Added\t585529
> 
> Compared with the same message parsed by snare which is detected correctly by 
> our SIEM:
> Snare:
> 3       0.002904        192.168.0.65    192.168.0.184   Syslog  550     
> MIKEL-DELL\tMSWinEventLog\t3\tSecurity\t63\tMo Sep 08 10:13:47 
> 2014\t4719\tMicrosoft-Windows-Security-Auditing\tWORKGROUP\MIKEL-DELL$\tN/A\tSuccess
>  Audit\tMikel-DELL\tAudit Policy Change\t\tSystem audit policy was changed.   
>  Subject:   Security ID:  S-1-5-18   Account Name:  MIKEL-DELL$   Account 
> Domain:  WORKGROUP   Logon ID:  0x3e7    Audit Policy Change:   Category:  
> Account Logon   Subcategory:  Other Account Logon Events   Subcategory GUID: 
> {0CCE9241-69AE-11D9-BED3-505054503030}   Changes:  Success removed\t55 \n
> 
> 
> Mit freundlichen Grüßen / Kind regards
> Simon
> 
> 
> 

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to