Re: [rsyslog] Please help with Snare Format

On Thu, 29 Nov 2012, jdguingao wrote: Will it still force escape even if I use this directive $EscapeControlCharactersOnReceive off ? I'm not sure, but if it doesn't, then it won't do anything (since the tests look for the escaped character sequences). It wouldn't be a lot of work to modify i

Re: [rsyslog] Please help with Snare Format

David thank you for your help I already solve the problem. This message is part of the syslog tag: MSWinEventLog0 Security957 Fri So i just use this command to extract the security field. syslogtag:F:3. Again thank your for all your help Cheers Jong -- View this m

Re: [rsyslog] Please help with Snare Format

Will it still force escape even if I use this directive $EscapeControlCharactersOnReceive off ? -- View this message in context: http://rsyslog-rsyslog-users.1305293.n2.nabble.com/Please-help-with-Snare-Format-tp7579234p7579245.html Sent from the rsyslog -- rsyslog-users mailing list archive at

Re: [rsyslog] Please help with Snare Format

I've run into problems with the version not exactly matching everything else. In theory it will work, but I don't know where the landmines are. the pmsnare module only works on the first couple of fields of the message (timestamp, hostname, and possibly the MSWinEventLog string), everything els

Re: [rsyslog] Please help with Snare Format

Thanks for the help David and Dan. What I am thinking now is to use the pmsnare module to test if I can extract that field but my installation of rsyslog does not have it. I use the RPM that the rsyslog team provided in their website. Is their anyway to upload a module to my existing rsyslog instal

Re: [rsyslog] Please help with Snare Format

.@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, November 29, 2012 4:11 PM To: rsyslog-users Subject: Re: [rsyslog] Please help with Snare Format On Thu, 29 Nov 2012, jdguingao wrote: > I will enclose in curly braces the message that I want to extrac

Re: [rsyslog] Please help with Snare Format

On Thu, 29 Nov 2012, jdguingao wrote: I will enclose in curly braces the message that I want to extract 2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0 {Security}491 Fri Nov 30 02:41:44 20124689 Microsoft-Windows-Security-Auditing PH\CX-CDOWKSMI

Re: [rsyslog] Please help with Snare Format

I will enclose in curly braces the message that I want to extract 2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0 {Security}491 Fri Nov 30 02:41:44 20124689 Microsoft-Windows-Security-Auditing PH\CX-CDOWKSMIS003$ N/A Success Audit

Re: [rsyslog] Please help with Snare Format

On Thu, 29 Nov 2012, jdguingao wrote: I want to mimic the standard Event log data that I can see in PhpLogcon. I have borrowed a template from a user in rsyslog forum. Here is the link kb.monitorware.com/post20457.html#p20457 and I want to ext

Re: [rsyslog] Please help with Snare Format

I want to mimic the standard Event log data that I can see in PhpLogcon. I have borrowed a template from a user in rsyslog forum. Here is the link kb.monitorware.com/post20457.html#p20457 and I want to extract this field 2012-11-30T02:41:46+08

Re: [rsyslog] Please help with Snare Format

which fields are you wanting extracted? lots of them could be considered 'security fields' David LAng On Thu, 29 Nov 2012, jdguingao wrote: Date: Thu, 29 Nov 2012 10:52:53 -0800 (PST) From: jdguingao Reply-To: rsyslog-users To: rsyslog@lists.adiscon.com Subject: [rsyslog] Please

[rsyslog] Please help with Snare Format

HI All, Please help me how to extract the security fields in this message using regex or any other methods Here is a Sample log from Snare 2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0 Security491 Fri Nov 30 02:41:44 20124689 Microsoft-Win