Re: [rsyslog] Please help with Snare Format

Thu, 29 Nov 2012 10:55:12 -0800

which fields are you wanting extracted? lots of them could be considered 'security fields' 

David LAng

On Thu, 29 Nov 2012, jdguingao wrote:


Date: Thu, 29 Nov 2012 10:52:53 -0800 (PST)
From: jdguingao <guingao.j...@gmail.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] Please help with Snare Format

HI All, Please help me how to extract the security fields in this message
using regex or any other methods

Here is a Sample log from Snare


2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog   0
Security        491     Fri Nov 30 02:41:44 2012        4689
Microsoft-Windows-Security-Auditing     PH\CX-CDOWKSMIS003$     N/A
Success Audit   CX-CDOWKSMIS003.ph.gbsorg.net   Process Termination
A process has exited.    Subject:   Security ID:  S-1-5-18   Account Name:
CX-CDOWKSMIS003$   Account Domain:  PH   Logon ID:  0x3e7    Process
Information:   Process ID: 0x1d50   Process Name:
C:\Windows\System32\SearchFilterHost.exe   Exit Status: 0x0  265

I have tried some process but to no avail. I have use the Snare parser in
php logcon but it is not working. I dont have the pmsnare module as i did
not compile my rsyslog installation from source. Im still new to rsyslog and
regex. Thanks




--
View this message in context: 
http://rsyslog-rsyslog-users.1305293.n2.nabble.com/Please-help-with-Snare-Format-tp7579234.html
Sent from the rsyslog -- rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to