Re: [rsyslog] Cutting messages coming from Snare on Windows 2008

Thu, 31 May 2012 12:26:48 -0700

This is harder to deal with than I thought (as the section you want to cut is not a separate field, but just part of the text in a field)
I would be looking to use a regex in a template that would match everything up to and including the "this event is generated" text. 

David Lang

On Tue, 29 May 2012, Alfred Rapozo wrote:


Date: Tue, 29 May 2012 16:18:36 -0400
From: Alfred Rapozo <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Cutting messages coming from Snare on Windows 2008

This is an example log line recorded by rsyslog. What I would like to
cut is everything including and after "This event is generated"

May 21 08:09:23 svr03.domain.local
SVR03#011MSWinEventLog#0114#011Security#01170025301#011Mon May 21
08:14:47 
2012#0114624#011Microsoft-Windows-Security-Auditing#011DOMAIN\user01#011N/A#011Success
Audit#011SVRDOMAIN03.promerica.local#011Logon#011#011An account was
successfully logged on.    Subject:   Security ID:  S-1-0-0   Account
Name:  -   Account Domain:  -   Logon ID:  0x0    Logon Type:   3
New Logon:   Security ID:
S-1-5-21-1674033898-877666992-871460195-3807   Account Name:  Fahernan
 Account Domain:  DOMAIN   Logon ID:  0x12c6a201   Logon GUID:
{2A657CE2-5E0B-C98C-06A4-A139797BFD57}    Process Information:
Process ID:  0x0   Process Name:  -    Network Information:
Workstation Name:    Source Network Address: 10.0.0.150   Source Port:
1190    Detailed Authentication Information:   Logon Process:
Kerberos   Authentication Package: Kerberos   Transited Services: -
Package Name (NTLM only): -   Key Length:  0    This event is
generated when a logon session is created. It is generated on the
computer that was accessed.    The subject fields indicate the account
on the local system which requested the logon. This is most commonly a
service such as the Server service, or a local process such as
Winlogon.exe or Services.exe.    The logon type field indicates the
kind of logon that occurred. The most common types are 2 (interactive)
and 3 (network).    The New Logon fields indicate the account for whom
the new logon was created, i.e. the account that was logged on.    The
network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.    The authentication information fields provide detailed
information about this specific logon request.   - Logon GUID is a
unique identifier that can be used to correlate this event with a KDC
event.   - Transited services indicate which intermediate services
have participated in this logon request.   - Package name indicates
which sub-protocol was used among the NTLM protocols.   - Key length
indicates t

Any help or docs that would point me on what to do to achieve it?

On Tue, May 29, 2012 at 2:47 PM,  <[email protected]> wrote:

On Tue, 29 May 2012, Alfred Rapozo wrote:


I don't think I need the data that's after that part on the messages.
Besides I could make sure the original message is preserved and have
the truncated one on another file.
I just want to know if it's possible to make the cut on rsyslog before
it writes the message to file.



yes, you would create a custom format string. In this case you would
probably want to do a field cut that cut it off at the number of fields you
care about (with the field split being the tab or #011 escape string)

David Lang



On Tue, May 29, 2012 at 1:58 PM,  <[email protected]> wrote:


On Tue, 29 May 2012, Alfred Rapozo wrote:


I'm receiving messages on a rsyslog machine, coming from a Windows
2008 machine using Snare.

The problem with 2008 is that at the end of the message comes a
meaningless string explaining what the event is about. The string is
really big and is the same for every event of the same type.

Is there any way to make rsyslog discard this part of the message,
most of the time it starts with "This event is generated".




Unfortunantly, that's not the end of the message from Snare, there is
data
in the message after that that you care about (it may be getting
truncated
in your setup)

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards






















					Reply via email to