<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m having problems getting Windows events on a single line on syslog-ng OSE. I’ve scoured the interwebs and not found what I need to get this exact. I am guessing this is not an uncommon problem but I can’t seem to find quite what I need.
I am guessing I am just missing some simple thing here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here are my details.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Using syslog-ng OSE 3.9.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Have syslog-ng Windows Agent 6.0.6 running on Windows 2012 server<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Have a tcp source and that writes direct to the log file. Works fine with no options set.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Getting multiple lines per event.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve added what I think are the correct settings for multi-line, it does not work. I don’t think it is the regex syntax, but something else?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">___________<o:p></o:p></p>
<p class="MsoNormal">Syslog.ng.conf<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")<o:p></o:p></p>
<p class="MsoNormal"> multi-line-mode(regexp)<o:p></o:p></p>
<p class="MsoNormal"> multi-line-prefix("^[0-9]{3,5}\s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")<o:p></o:p></p>
<p class="MsoNormal"> flags(no-parse)); };<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">___________<o:p></o:p></p>
<p class="MsoNormal">Here is the error when trying to start syslog-ng or run syslog-ng –s:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 38, column 76:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp") multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5}\s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")
flags(no-parse)); };<o:p></o:p></p>
<p class="MsoNormal"> ^^^^^^^^^^^^^^^<o:p></o:p></p>
<p class="MsoNormal">___________<o:p></o:p></p>
<p class="MsoNormal">Sample of the event log part I am matching regex on:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jul 10 12:11:19 x.x.x.x 912 <133>1 2017-07-10T12:11:18-05:00 computername Microsoft_Windows_security_auditing. 6260 - [win@18372.4 EVENT_CATEGORY="Logoff" EVENT_FACILITY="16" EVENT_ID="4634" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="573516592"
EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logoff" EVENT_TYPE="Success Audit" EVENT_USERNAME="domain\\userid"][meta sequenceId="10817278" sysUpTime="-198876"] domain\userid: Security Microsoft Windows security auditing.:
[Success Audit] An account was logged off.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>