We use Snare to capture logs from Windows machines to rsyslog for archival and forwarding to other tools. One tool required Snare use a comma as a delimiter so all the servers are configured to use a comma. The problem is we have added another tool that we would like to forward logs to that wants the original Snare delimiter, which is a tab character.
Is there a way to replace all commas in rawmsg with a tab character? I could not figure out a way to do this with a template because the message format is strange and multiple fields from Snare are combined in the syslog fields. Here is (sanitized) debug output: Debug line with all properties: FROMHOST: '1.2.3.4', fromhost-ip: '1.2.3.4', HOSTNAME: 'Hostname.domain.com', PRI: 134, syslogtag 'MSWinEventLog,1,Security,695810,Mon', programname: 'MSWinEventLog,1,Security,695810,Mon', APP-NAME: 'MSWinEventLog,1,Security,695810,Mon', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 25 16:38:03', STRUCTURED-DATA: '-', msg: ' Feb 25 16:38:00 2013,4634,Microsoft-Windows-Security-Auditing,ITS-W2KS02ADR$,N/A,Success Audit,Hostname.domain.com,None,,An account was logged off. Subject: Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,695323 ' escaped msg: ' Feb 25 16:38:00 2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success Audit,Hostname.domain.com,None,,An account was logged off. Subject: Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,695323 ' inputname: imudp rawmsg: '<134>Feb 25 16:38:03 Hostname.domain.com MSWinEventLog,1,Security,695810,Mon Feb 25 16:38:00 2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success Audit,Hostname.domain.com,None,,An account was logged off. Subject: Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,695323 ' Any way to do that substitution? Or any other creative solutions? Thank you in advance, Dan Woodruff _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
