Yeah that would make the text a little messy, but should still parse OK by the other tools.
I'm forwarding the message out over syslog to get them to the other tool (a SIEM). Is there a way to write a script that I could pipe each message to? I might be able to hack that together if so. Dan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Monday, February 25, 2013 4:51 PM To: rsyslog-users Subject: Re: [rsyslog] Replace a character in a message with a different one one problem you will have is that the text in the messages sometimes includes commas. how are you getting the logs to your program? could you just insert sed into the path? I don't know of a way to do this inside rsyslog without a small custom module. David Lang On Mon, 25 Feb 2013, Woodruff, Dan wrote: > Date: Mon, 25 Feb 2013 21:48:02 +0000 > From: "Woodruff, Dan" <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: [rsyslog] Replace a character in a message with a different > one > > We use Snare to capture logs from Windows machines to rsyslog for archival > and forwarding to other tools. One tool required Snare use a comma as a > delimiter so all the servers are configured to use a comma. The problem is we > have added another tool that we would like to forward logs to that wants the > original Snare delimiter, which is a tab character. > > Is there a way to replace all commas in rawmsg with a tab character? I could > not figure out a way to do this with a template because the message format is > strange and multiple fields from Snare are combined in the syslog fields. > Here is (sanitized) debug output: > > Debug line with all properties: > FROMHOST: '1.2.3.4', fromhost-ip: '1.2.3.4', HOSTNAME: > 'Hostname.domain.com', PRI: 134, syslogtag > 'MSWinEventLog,1,Security,695810,Mon', programname: > 'MSWinEventLog,1,Security,695810,Mon', APP-NAME: > 'MSWinEventLog,1,Security,695810,Mon', PROCID: '-', MSGID: '-', > TIMESTAMP: 'Feb 25 16:38:03', STRUCTURED-DATA: '-', > msg: ' Feb 25 16:38:00 > 2013,4634,Microsoft-Windows-Security-Auditing,ITS-W2KS02ADR$,N/A,Success > Audit,Hostname.domain.com,None,,An account was logged off. Subject: > Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: > DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 > This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer.,695323 ' > escaped msg: ' Feb 25 16:38:00 > 2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success > Audit,Hostname.domain.com,None,,An account was logged off. Subject: > Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: > DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 > This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer.,695323 ' > inputname: imudp rawmsg: '<134>Feb 25 16:38:03 Hostname.domain.com > MSWinEventLog,1,Security,695810,Mon Feb 25 16:38:00 > 2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success > Audit,Hostname.domain.com,None,,An account was logged off. Subject: > Security ID: S-1-5-21-299502267-36228127-1238915-1106 Account Name: > DCNAME$ Account Domain: DOMAIN Logon ID: 0x8178814 Logon Type: 3 > This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer.,695323 ' > > > Any way to do that substitution? Or any other creative solutions? > > Thank you in advance, > Dan Woodruff > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
