Hi Botond, the messages have been captured on our SIEM System AlienVault with tcpdump into a pcab file. Then the message has been extracted with Wireshark. I'm going to write it to a file as you suggested and will compare the output.
Kind regards Simon -----Ursprüngliche Nachricht----- Von: Botond Botyanszki [mailto:b...@nxlog.org] Gesendet: Dienstag, 9. September 2014 22:18 An: nxlog-ce-users@lists.sourceforge.net Betreff: Re: [nxlog-ce-users] nxlog to_syslog_snare() suppress USER.INFO: Sep 8 11:58:15 Hi, The to_syslog_snare() procedure does not generate such an output that you pasted. It should start with the <xx> header. I suggest to verify the payload in the udp datagram, you can also write to a file with om_file and check the contents. The output you pasted is most likely rewritten by the receiver. Regards, Botond On Tue, 9 Sep 2014 08:44:33 +0200 <simon.hae...@t-systems.com> wrote: > Hi Botond, > we thought the extra header would come from to_syslog_snare() as it's a > Function exported by xm_syslog. > As far as i understood the reference-manual xm_syslog contains the extra > fields SyslogSeverity / Facility and Event Time. > > Before the conversion to syslog_snare we could not find this extra header > info in the raw message. > > We are using nxlog-ce-2.8.1248.msi on an Win2008R2 with English language. > We used the sample config out of the manual: > > <Extension syslog> > Module xm_syslog > </Extension> > <Input in> > Module im_msvistalog > </Input> > <Output out> > Module om_udp > Host 192.168.1.1 > Port 514 > Exec to_syslog_snare(); > </Output> > <Route 1> > Path in => out > </Route> > > regards > Simon > ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
