I've been using this filter to parse security event log messages into their own
file with great success, if this helps at all:
if $syslogtag contains 'Security' \
then ?WindowsSecFile;WindowsFileMsgFormat
& ~
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, November 29, 2012 4:11 PM
To: rsyslog-users
Subject: Re: [rsyslog] Please help with Snare Format
On Thu, 29 Nov 2012, jdguingao wrote:
> I will enclose in curly braces the message that I want to extract
>
> 2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0
> {Security} 491 Fri Nov 30 02:41:44 2012 4689
> Microsoft-Windows-Security-Auditing PH\CX-CDOWKSMIS003$ N/A
> Success Audit CX-CDOWKSMIS003.ph.gbsorg.net Process Termination
> A process has exited. Subject: Security ID: S-1-5-18 Account Name:
> CX-CDOWKSMIS003$ Account Domain: PH Logon ID: 0x3e7 Process
> Information: Process ID: 0x1d50 Process Name:
> C:\Windows\System32\SearchFilterHost.exe Exit Status: 0x0 265
>
> I think I understand the log format a little better. I thought that
> when you put %msg:F:3% It will extract the Security message that I
> want but it will have this message
> Microsoft-Windows-Security-Auditing. So the Tab splitting starts with
> this field Fri Nov 30 02:41:44 2012 (when I use %msg:F:1%).
a good way to see this is by logging with the RSYSLOG_DebugFormat. It will tell
you how the message got broken apart by the rsyslog parser.
if it's starting with the date, that means that, as configured, your version of
snare is not sending a valid syslog message, it's using tabs between the date,
hostname, and MSWinEventLog fields. My Snare installs sometimes do this,
sometimes don't, and sometimes have a null character in there somewhere. This
is the sort of stuff that pmsnare tries to fix up (so that MSWinEventLog ends
up in the programname field and the message starts with the field after that,
in this case '0')
Another thing to watch out for is if escaping of control characters gets
triggered, all the tab characters will become '#011', which really messes up
parsing as you can't split on multi-character fields with rsyslog.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
