Hi, Looks like you are correct, the Snare TimeStamp format uses a double digit date. A quick workaround could use a regexp to replace the space with a 0.
Regards, Botond On Wed, 4 Mar 2015 08:48:38 -0500 Josh Vigil <jvigil6...@gmail.com> wrote: > Hello all, > I am currently having an issue in ArcSight with the way nxlog is sending > the date in snare formatted logs. The format that is being sent is "Mon Mar > 2 11:13:34 2015" when the expected format should be "Mon Mar 02 11:13:34 > 2015". The format that is being sent is replacing the "0" on a single digit > day with a space causing a double space. Since the parser is expecting two > digit days this causing an issue with log parsing between the 1-9 of each > month. Not sure if there is anything wrong with my config or not. If anyone > else is having or has had this issue please let me know if a fix is > available. > > Below is a sample of my config for the latest agent nxlog-ce.2.8.1248. > > > <Extension syslog> > Module xm_syslog > </Extension> > > <Input eventlog> > Module im_msvistalog > ReadFromLast True > Query <QueryList>\ > <Query Id="0" Path="Security">\ > <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or > Level=4 or Level=0)]]</Select>\ > </Query>\ > </QueryList> > </Input> > > <Output out> > Module om_tcp > Host XX.XX.XX.XX > Port 514 > Exec to_syslog_snare(); > </Output> > > <Route 1> > Path eventlog => out > </Route> > > > Thanks. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
