Hi Josh, The first date is the syslog header. As per RFC3164 it should have a single digit date: "If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7"."
Probably many syslog implementations are able to parse it with double digits but to not break standards compliance you should be only replacing the second, i.e. the value in snare timestamp field. Regards, Botond On Fri, 6 Mar 2015 13:22:01 -0500 Josh Vigil <jvigil6...@gmail.com> wrote: > Hi Botond, > Thanks for the support and glad to hear it will be fixed in the next > release. I don't think a hotfix is necessary at this time. After working > with a co-worker, we have found a work around solution that seems to > resolve the issue for now. Basically we added the syntax below to the > output section which replaces the double space with the 0. > > <Output out> > Module om_tcp > Host XX.XX.XX.XX > Port 514 > Exec to_syslog_snare();\ > $raw_event = replace ($raw_event, ' ', ' 0', 1);\ > $raw_event = replace ($raw_event, ' ', ' 0', 1); > </Output> > > The two raw event entries are used since the date format appears twice in > the raw logs. Hopefully this helps others who may be having the same issue. > > Thanks > Josh > > On Thu, Mar 5, 2015 at 10:16 AM, Botond Botyanszki <b...@nxlog.org> wrote: > > > Hi Josh, > > > > I don't have a regexp at hand for this. > > The issue will be fixed in the next release. If you'd like, we can > > provide a hotfix under a commercial support contract. > > > > Regards, > > Botond > > > > On Wed, 4 Mar 2015 15:35:22 -0500 > > Josh Vigil <jvigil6...@gmail.com> wrote: > > > > > Thanks Botond for the verification. Would you happen the have the correct > > > syntax and location to add to the config to do this? > > > > > > Thanks > > > > > > On Wed, Mar 4, 2015 at 2:50 PM, Botond Botyanszki <b...@nxlog.org> > > wrote: > > > > > > > Hi, > > > > > > > > Looks like you are correct, the Snare TimeStamp format uses a double > > > > digit date. > > > > A quick workaround could use a regexp to replace the space with a 0. > > > > > > > > Regards, > > > > Botond > > > > > > > > On Wed, 4 Mar 2015 08:48:38 -0500 > > > > Josh Vigil <jvigil6...@gmail.com> wrote: > > > > > > > > > Hello all, > > > > > I am currently having an issue in ArcSight with the way nxlog is > > sending > > > > > the date in snare formatted logs. The format that is being sent is > > "Mon > > > > Mar > > > > > 2 11:13:34 2015" when the expected format should be "Mon Mar 02 > > 11:13:34 > > > > > 2015". The format that is being sent is replacing the "0" on a single > > > > digit > > > > > day with a space causing a double space. Since the parser is > > expecting > > > > two > > > > > digit days this causing an issue with log parsing between the 1-9 of > > each > > > > > month. Not sure if there is anything wrong with my config or not. If > > > > anyone > > > > > else is having or has had this issue please let me know if a fix is > > > > > available. > > > > > > > > > > Below is a sample of my config for the latest agent > > nxlog-ce.2.8.1248. > > > > > > > > > > > > > > > <Extension syslog> > > > > > Module xm_syslog > > > > > </Extension> > > > > > > > > > > <Input eventlog> > > > > > Module im_msvistalog > > > > > ReadFromLast True > > > > > Query <QueryList>\ > > > > > <Query Id="0" Path="Security">\ > > > > > <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 > > or > > > > > Level=4 or Level=0)]]</Select>\ > > > > > </Query>\ > > > > > </QueryList> > > > > > </Input> > > > > > > > > > > <Output out> > > > > > Module om_tcp > > > > > Host XX.XX.XX.XX > > > > > Port 514 > > > > > Exec to_syslog_snare(); > > > > > </Output> > > > > > > > > > > <Route 1> > > > > > Path eventlog => out > > > > > </Route> > > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Dive into the World of Parallel Programming The Go Parallel Website, > > > > sponsored > > > > by Intel and developed in partnership with Slashdot Media, is your hub > > for > > > > all > > > > things parallel software development, from weekly thought leadership > > blogs > > > > to > > > > news, videos, case studies, tutorials and more. Take a look and join > > the > > > > conversation now. http://goparallel.sourceforge.net/ > > > > _______________________________________________ > > > > nxlog-ce-users mailing list > > > > nxlog-ce-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users > > > > > > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
