<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Hi Allen,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Maybe just I don't get it entirely, but I guess your issue is that $LOCATION $RULE nv-pairs are empty, because Wazuh log messages are not parsed correctly, right?</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

We can usually solve custom parsing issues with SCLs, which are built up by common filters/parsers according to the custom message format.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Some examples of these </div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<ul>

<li>netskope parser, websense-parser, checkpoint-parser</li></ul>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

(you can find these in syslog-ng's install directory, in "<install_prefix>/share/syslog-ng/include/scl")</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Some documentation about creating your on SCL:<br>

<a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/15#TOPIC-1209122" id="LPlnk386403">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/15#TOPIC-1209122</a><br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

If you can share an example log iof Wazuh, we can help how you should parse it.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

As far as I see, it can log in "plain" and "JSON" formats, the latter sounds easy as well, as syslog-ng does have a json-parser.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<a href="https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/logging.html" id="LPNoLP341220">https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/logging.html</a><br>

</div>

<br>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Regards,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Gabor</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Allen Olivas <allen.olivas@infodefense.com><br>

<b>Sent:</b> Thursday, August 1, 2019 23:35<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> [syslog-ng] Parse message fields for use as columns in MySQL</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif}

a:link, span.x_MsoHyperlink

        {color:#0563C1;

        text-decoration:underline}

a:visited, span.x_MsoHyperlinkFollowed

        {color:#954F72;

        text-decoration:underline}

span.x_EmailStyle17

        {font-family:"Calibri",sans-serif;

        color:windowtext}

.x_MsoChpDefault

        {font-family:"Calibri",sans-serif}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

-->

</style>

<div lang="EN-US" link="#0563C1" vlink="#954F72">

<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal">Hello, </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">I’m really scratching my head trying to make this work and thought maybe the community has experienced this before. I’m collecting logs from Wazuh and Syslog-NG. Those logs are sent from my Wazuh server with Sylog-NG configured to send

 to my MySQL server. The Syslog-ng.conf file on the MySQL server is configured with a destination to mysql.

</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">In the declared the destination and list out columns and values.

</p>

<p class="x_MsoNormal"># MySQL define destination</p>

<p class="x_MsoNormal">destination d_mysql {</p>

<p class="x_MsoNormal">sql(</p>

<p class="x_MsoNormal">type(mysql)</p>

<p class="x_MsoNormal">username("syslog")</p>

<p class="x_MsoNormal">password("xxxxxxx")</p>

<p class="x_MsoNormal">database("syslog")</p>

<p class="x_MsoNormal">host("127.0.0.1")</p>

<p class="x_MsoNormal">table("logs")</p>

<p class="x_MsoNormal">columns("host", "id", "location", "facility", "rule", "priority", "level", "tag", "datetime", "program", "msg")</p>

<p class="x_MsoNormal">values("$HOST", "$ID", "$LOCATION","$FACILITY", "$RULE", "$PRIORITY", "$LEVEL", "$TAG","$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC","$PROGRAM", "$MSG")</p>

<p class="x_MsoNormal">indexes("datetime", "host", "id", "location", "rule")</p>

<p class="x_MsoNormal">);</p>

<p class="x_MsoNormal">};</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">So here’s the problem. The Message data contains information like Rule and Location that really equate to the Wazuh Rule and Location = the Wazuh Agent that’s reporting it. I had hoped “location” column would populate with the Location

 date from the message. Same with Rule. </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">SO my question to the community is how on earth do I parse the data in the message field to populate columns (existing or new)? Any thoughts, guidance, recommendations are greatly appreciated.

</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:black">Thanks,</span></p>

<p class="x_MsoNormal"><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:black"><br>

</span><span style="font-size:12.0pt; font-family:"Arial",sans-serif; color:black">Allen Olivas</span><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:black"><br>

</span><b><i><span style="font-size:18.0pt; font-family:"Arial",sans-serif; color:#3A67B8">Info</span></i></b><b><i><span style="font-size:18.0pt; font-family:"Arial",sans-serif; color:#5F5F5F">Defense</span></i></b><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:black"><br>

Office: (972) 848-7910<br>

Email: allen.olivas@infodefense.com<br>

Toll Free: (877) INFODEFENSE<br>

</span><a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fl.shatrk.com%2Fr%2Fe%2FDblvLSPvKY2IxMPE%3Fr%3Dhttps%3A%2F%2Fapp.salesforceiq.com%2Fr%3Ftarget%3D5c77291cc9e77c007aa6cb3e%26t%3DAFwhZf0O7sC6c6N-x691ne-Q9q_27TNhu1ayis_kAJ00Z7HL-lH9bPLytoPohWYrCc5EpGO_mM--1dDX-GDgklCQ_2ZINq3F1wwLoCnz9aRhfWm9RG1fC4RVQcHYR5hMwHruEmd00J_U%26url%3Dhttp%3A%2F%2Fwww.infodefense.com%2F&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C06aa5cd3ebd14695670808d716c83cdb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637002921605460940&sdata=3VdqqIxIp9Ls2xz8odH%2B%2FD6iHutUZ%2FzkmZ81mLN9Vxc%3D&reserved=0" originalsrc="https://l.shatrk.com/r/e/DblvLSPvKY2IxMPE?r=https://app.salesforceiq.com/r?target=5c77291cc9e77c007aa6cb3e&t=AFwhZf0O7sC6c6N-x691ne-Q9q_27TNhu1ayis_kAJ00Z7HL-lH9bPLytoPohWYrCc5EpGO_mM--1dDX-GDgklCQ_2ZINq3F1wwLoCnz9aRhfWm9RG1fC4RVQcHYR5hMwHruEmd00J_U&url=http://www.infodefense.com/" shash="wXq+azgdGm8qiJ55aDKfHhM3uwe9CFUf4agVT5ppUqNR2cqFMyAIdfn2fAFY8G5BL01/NPekAju2Dzj++/PRm8Xv4nruo5mkf7BR9sIgxri9In2pVOx82Wq514f6Fe8LPFnsMR7zIlTcVY8M9WPkMvFTiHG7wks9R/PWIjyl8Zg=" title="http://www.infodefense.com/"><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:blue">www.infodefense.com</span></a><span style="font-size:13.5pt; font-family:"Times New Roman",serif; color:black"><br>

<br>

</span><span style="font-size:10.0pt; font-family:"Arial",sans-serif; color:black"></span></p>

<p class="x_MsoNormal"> </p>

</div>

</div>

</div>

</body>

</html>