On Tue, 27 Oct 2009, Martin Mielke wrote: > Hi, > > We recently started to receive logs from a Snare client. > I applied the configuration changes proposed here: > http://wiki.rsyslog.com/index.php/Using_Snare_as_a_client_on_Windows
I just got a chance to read this, and I disagree with it's recommendation the #011 is a tab. snare uses it to seperate fields from the windows event log. if you just replace it with a space you loose the ability to do things like look for field 10 because field 8 may contain spaces. In addition there are two formats of logs that snare can output to syslog 1. the snare format 2. 'syslog' format the difference seems to be that in snare format it does Jan 1 01:01:01 mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri while in syslog format it does Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri the biggest change is the space between the host and MSWinEventLog there is also sometime a "1#011" before the field with Security in it in this example and sometimes not. I have not figured out the pattern here yet (it may be the format difference, my parsing logic just looks for a '1' in the first field, and if it finds it, drops that field) what I do is to setup the following rules to reformat the syslog formatted messages to look like Jan 1 01:01:01 mail.abc.com MSWinEventLog 1#011Security#0114169#011Fri I can then filter on the program name MSWinEventLog and later parsing tools can examine specific fields of the log message I have not fully figured out the snare formatted message, but the *2 formats at lease prevent lots of garbage from ending up in the host and program fields. $template fixsnareFormat,"%timereported% %HOSTNAME% MSWinEventLog %syslogtag:18:$%%msg:::drop-last-lf%\n" $template fixsnareForwardFormat,"<%pri%>%timereported% %HOSTNAME% MSWinEventLog %syslogtag:18:$:%%msg:::drop-last-lf%\n" $template fixsnareFormat2,"%timereported% %fromhost-ip% broken-MSWinEventLog %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" $template fixsnareForwardFormat2,"<%pri%>%timereported% %fromhost-ip% broken-MSWinEventLog %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" :hostname, contains ,"MSWinEventLog" /var/log/messages;fixsnareFormat2 & @192.168.1.8;fixsnareForwardFormat2 & ~ :syslogtag, startswith, "MSWinEventLog#011" /var/log/messages;fixsnareFormat & @192.168.1.8;fixsnareForwardFormat & ~ *.* /var/log/messages;TraditionalFormat *.* @192.168.1.8 I updated to wiki to show this option > After restarting rsyslog, I get the following error: > -- > 2009-10-27T06:45:39.067279-04:00 logserger rsyslogd: [origin > software="rsyslogd" swVersion="4.2.0" x-pid="29021" > x-info="http://www.rsyslog.com";] (re)start > 2009-10-27T06:45:39.063213-04:00 logserger rsyslogd-3000: unknown > priority name "" [try http://www.rsyslog.com/e/3000 ] > 2009-10-27T06:45:39.063571-04:00 logserger rsyslogd: the last error > occured in /etc/rsyslog.conf, line 18 > 2009-10-27T06:45:39.064044-04:00 logserger rsyslogd: warning: selector > line without actions will be discarded > 2009-10-27T06:45:39.064213-04:00 logserger rsyslogd-2123: CONFIG ERROR: > could not interpret master config file '/etc/rsyslog.conf'. [try > http://www.rsyslog.com/e/2123 ] > -- > > If I comment out the "%msg:::space-cc%" part it starts up cleanly but I > assume that the filtering won't work. the %msg:::space-cc% shouldn't have been listed as a seperate line, that would replace %msg% in a format string. David Lang > > Suggestions? > > > Thanks, > Martin > > > > > > This email and any attachments are confidential, and may be legally > privileged and protected by copyright. If you are not the intended recipient > dissemination or copying of this email is prohibited. If you have received > this in error, please notify the sender by replying by email and then delete > the email completely from your system. > > Any views or opinions are solely those of the sender. This communication is > not intended to form a binding contract unless expressly indicated to the > contrary and properly authorised. Any actions taken on the basis of this > email are at the recipient's own risk. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
