what is the config that sets the structured data? David Lang
On Wed, 5 May 2021, James Ward-Smith wrote:
Date: Wed, 5 May 2021 00:18:42 +0000 From: James Ward-Smith <[email protected]> To: David Lang <[email protected]> Cc: James Ward-Smith via rsyslog <[email protected]> Subject: Re: [rsyslog] Structured Data in Windows Event Hi, We are have got rsyslog windows agent 7.0 installed, and are trying to send windows event logs e.g. successful log offs to a Linux machine in a particular format. I have attached images of the custom syslog header we are using, and images of the resulting syslog that seems to completely ignore the structured data section. Kind regards, James Sent from my iPhone On 5 May 2021, at 10:16 am, James Ward-Smith <[email protected]> wrote: On 5 May 2021, at 10:02 am, David Lang <[email protected]> wrote: what software are you using to send the windows event data? can you show us an example of a log that's not working? (what the rawmsg looks like) David Lang On Tue, 4 May 2021, James Ward-Smith via rsyslog wrote: Hi, We are using a custom syslog header to parse Windows Events into syslog format, but it does not seem to be picking up the structured data. In our custom syslog header, we have referenced %syslogstructdata% and we are trying to set a property so that syslogstructdata is equal to the structured XML of the windows event. We are unable to get this to come through and can only get it if we use logpoint SIEM JSON format. <image6.jpeg> <image8.jpeg> Kind regards, James _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
