On Thu, 29 Nov 2012, jdguingao wrote:
I will enclose in curly braces the message that I want to extract2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0 {Security} 491 Fri Nov 30 02:41:44 2012 4689 Microsoft-Windows-Security-Auditing PH\CX-CDOWKSMIS003$ N/A Success Audit CX-CDOWKSMIS003.ph.gbsorg.net Process Termination A process has exited. Subject: Security ID: S-1-5-18 Account Name: CX-CDOWKSMIS003$ Account Domain: PH Logon ID: 0x3e7 Process Information: Process ID: 0x1d50 Process Name: C:\Windows\System32\SearchFilterHost.exe Exit Status: 0x0 265 I think I understand the log format a little better. I thought that when you put %msg:F:3% It will extract the Security message that I want but it will have this message Microsoft-Windows-Security-Auditing. So the Tab splitting starts with this field Fri Nov 30 02:41:44 2012 (when I use %msg:F:1%).
a good way to see this is by logging with the RSYSLOG_DebugFormat. It will tell you how the message got broken apart by the rsyslog parser.
if it's starting with the date, that means that, as configured, your version of snare is not sending a valid syslog message, it's using tabs between the date, hostname, and MSWinEventLog fields. My Snare installs sometimes do this, sometimes don't, and sometimes have a null character in there somewhere. This is the sort of stuff that pmsnare tries to fix up (so that MSWinEventLog ends up in the programname field and the message starts with the field after that, in this case '0')
Another thing to watch out for is if escaping of control characters gets triggered, all the tab characters will become '#011', which really messes up parsing as you can't split on multi-character fields with rsyslog.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
