<div dir="ltr">Hi,<div><br></div><div>Actually the network() driver you have configured uses the RFC3164 protocol which uses single line for each messages.</div><div>Using the syslog() driver with the IETF syslog protocol on both sender and receiver side, it is possible to accept windows multiline logs and you don't have to configure multiline-* options at all.</div><div><br></div><div>Regards,</div><div>Gergely</div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 13, 2017 at 4:23 PM Smith, Paul (Sr. Admin-InfoSec) <<a href="mailto:Paul.C.Smith@snapon.com">Paul.C.Smith@snapon.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Nagy,<br>
<br>
Thanks for checking that. That was probably one of the reasons it did not work. That is too bad since Windows servers using the syslog-ng agent are the source. I would have thought that would be working since bot products are from Balabit. Windows logs also send a lot of garbage with Information lines that it would also be good to remove since that is just going to fill up the log files with junk. I am getting 8-10 gigs per day from a single Windows Domain Controller and I need to add in about 25 more. The log file would be immense.<br>
<br>
I tested out using the syslog driver and was poking around with the multi-line-prefix and multi-line-garbage and they don't give any syntax errors, as long as I don't use the multi-line-mode option. Does syslog-ng ignore these options if the multi-line-mode option is not specified? Basically, do all the multi-line-xxx options not work like this?<br>
<br>
It seems like the only option that works for syslog or network is the flags(no-multi-line) flag.<br>
<br>
Is that the case?<br>
<br>
Are there any other alternatives? I would hate to write the syslogs to a file and then parse that file again to get the logs I want. That is double work for the server. But that seems like that might be the only option I have.<br>
<br>
Hmmm...maybe I can log to a VM syslog-ng and have that one parse the data first using the file driver and then I can relay to my main systems.<br>
<br>
Paul C Smith<br>
<br>
<br>
-----Original Message-----<br>
From: syslog-ng [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>] On Behalf Of <a href="mailto:syslog-ng-request@lists.balabit.hu" target="_blank">syslog-ng-request@lists.balabit.hu</a><br>
Sent: Thursday, July 13, 2017 7:00 AM<br>
To: <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br>
Subject: syslog-ng Digest, Vol 147, Issue 14<br>
<br>
Send syslog-ng mailing list submissions to<br>
<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:syslog-ng-request@lists.balabit.hu" target="_blank">syslog-ng-request@lists.balabit.hu</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:syslog-ng-owner@lists.balabit.hu" target="_blank">syslog-ng-owner@lists.balabit.hu</a><br>
<br>
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Windows Events multi-line (Nagy)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 13 Jul 2017 10:50:03 +0200<br>
From: Nagy, Gábor <<a href="mailto:gabor.nagy@balabit.com" target="_blank">gabor.nagy@balabit.com</a>><br>
To: "Syslog-ng users' and developers' mailing list"<br>
<<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
Subject: Re: [syslog-ng] Windows Events multi-line<br>
Message-ID:<br>
<<a href="mailto:CAETAYnCft3KAyWF_5pB3g4%2Bjodrn6%2BSpXTYJqqyfnFoUFzzaEw@mail.gmail.com" target="_blank">CAETAYnCft3KAyWF_5pB3g4+jodrn6+SpXTYJqqyfnFoUFzzaEw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello,<br>
<br>
Checking your configuration I see that you are using multi-line mode for a network source driver.<br>
Unfortunately, currently this is not supported, only the file() and pipe() source drivers support multi-line messages.<br>
<br>
I have checked the documentation and found that although it is mentioned which source drivers support multi-line mode (under flags option "no-multi-line"), the multi-line-* options are included in the network source driver options page.<br>
This is a documentation bug, which will be fixed soon. Sorry for the inconveniences.<br>
<br>
Best Regards,<br>
Gabor<br>
<br>
On Mon, Jul 10, 2017 at 8:15 PM, Smith, Paul (Sr. Admin-InfoSec) < <a href="mailto:Paul.C.Smith@snapon.com" target="_blank">Paul.C.Smith@snapon.com</a>> wrote:<br>
<br>
> Hello,<br>
><br>
><br>
><br>
> I’m having problems getting Windows events on a single line on<br>
> syslog-ng OSE. I’ve scoured the interwebs and not found what I need to<br>
> get this exact. I am guessing this is not an uncommon problem but I<br>
> can’t seem to find quite what I need. I am guessing I am just missing<br>
> some simple thing here.<br>
><br>
><br>
><br>
> Here are my details.<br>
><br>
><br>
><br>
> Using syslog-ng OSE 3.9.1<br>
><br>
><br>
><br>
> Have syslog-ng Windows Agent 6.0.6 running on Windows 2012 server<br>
><br>
><br>
><br>
> Have a tcp source and that writes direct to the log file. Works fine<br>
> with no options set.<br>
><br>
><br>
><br>
> Getting multiple lines per event.<br>
><br>
><br>
><br>
> I’ve added what I think are the correct settings for multi-line, it<br>
> does not work. I don’t think it is the regex syntax, but something else?<br>
><br>
><br>
><br>
> ___________<br>
><br>
> Syslog.ng.conf<br>
><br>
><br>
><br>
> source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")<br>
><br>
> multi-line-mode(regexp)<br>
><br>
> multi-line-prefix("^[0-9]{3,5}<br>
> \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][<br>
> 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")<br>
><br>
> flags(no-parse)); };<br>
><br>
><br>
><br>
> ___________<br>
><br>
> Here is the error when trying to start syslog-ng or run syslog-ng –s:<br>
><br>
><br>
><br>
> Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER,<br>
> expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or<br>
> KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 38, column 76:<br>
><br>
><br>
><br>
> source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")<br>
> multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5}<br>
> \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][<br>
> 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")<br>
> flags(no-parse)); };<br>
><br>
><br>
> ^^^^^^^^^^^^^^^<br>
><br>
> ___________<br>
><br>
> Sample of the event log part I am matching regex on:<br>
><br>
><br>
><br>
> Jul 10 12:11:19 x.x.x.x 912 <133>1 2017-07-10T12:11:18-05:00<br>
> computername Microsoft_Windows_security_auditing. 6260 - [win@18372.4<br>
> EVENT_CATEGORY="Logoff" EVENT_FACILITY="16" EVENT_ID="4634" EVENT_LEVEL="0"<br>
> EVENT_NAME="Security" EVENT_REC_NUM="573516592" EVENT_SID="N/A"<br>
> EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logoff"<br>
> EVENT_TYPE="Success Audit" EVENT_USERNAME="domain\\userid"][meta<br>
> sequenceId="10817278" sysUpTime="-198876"] domain\userid: Security<br>
> Microsoft Windows security auditing.: [Success Audit] An account was<br>
> logged off.<br>
><br>
><br>
><br>
> ____________________________________________________________<br>
> __________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/</a>?<br>
> product=syslog-ng<br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170713/826dd963/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170713/826dd963/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
<br>
<br>
------------------------------<br>
<br>
End of syslog-ng Digest, Vol 147, Issue 14<br>
******************************************<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p class="gmail_msg" style="color:rgb(103,103,103);font-family:arial"><span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"><span style="background-color:rgba(251,246,167,0.498)"><b>Gergely Bodnar</b></span> </span>| syslog-ng Product Owner<br><a href="mailto:gergely.bodnar@balabit.com">gergely.bodnar@balabit.com</a><br>follow Balabit on:<span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span><a href="http://go.balabit.com/F9ZZ500bh0U013LX000VAE5" class="gmail_msg" target="_blank" style="color:rgb(41,129,196)">web</a><span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span>|<span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span><a href="http://go.balabit.com/VZZi000AL90V300U55X1cE0" class="gmail_msg" target="_blank" style="color:rgb(41,129,196)">blog</a><span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span>|<span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span><a href="http://go.balabit.com/CZ100j0d50LU0EAZ3X09V05" class="gmail_msg" target="_blank" style="color:rgb(41,129,196)">linkedin</a>|<span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span><a href="http://go.balabit.com/I090eUZ0551kEA3X0L0ZV00" class="gmail_msg" target="_blank" style="color:rgb(41,129,196)">facebook</a><span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span>|<span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span><a href="http://go.balabit.com/c0503X1U05EZ09AVl0ZfL00" class="gmail_msg" target="_blank" style="color:rgb(41,129,196)">twitter</a></p><div id="inbox-inbox-inbox-inbox-inbox-inbox-m_5614423292800000536bot" class="gmail_msg" style="color:rgb(103,103,103);font-family:arial;border-top:1px solid rgb(204,204,204);clear:both;line-height:18px;font-size:12px"><img alt="" class="gmail_msg" style="margin: 10px 0px 15px;" src="https://pages.balabit.com/rs/855-UZV-853/images/tesztlogo3.png"><p class="gmail_msg"><b class="gmail_msg">© BalaBit Corp.</b><span class="inbox-inbox-inbox-inbox-inbox-inbox-Apple-converted-space"> </span>Weiser Mazars 135 West 50th Street New York, NY 10020 USA</p></div></div></div>