No, it definitely doesn't use the Snare format. I wish it did, as we have Snare deployed in some places already. I suppose changing the output of the message would be an easy thing to add from the code side. The reason we've opted to change from Snare to this is because Snare actually changes group policy objects (GPO) when it is installed, and in deploying it to thousands of servers, we ran into issues with the automated install. It's also a much heavier weight program than we'd like with its web console, etc. I could see about contacting the project lead to see if they would consider adding an option to Eventlog-to-Syslog for Snare-compatible output format. On Sat, Jul 31, 2010 at 9:00 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
Hi,
Does this use a Snare compatible message format? Since snare is the most widespread syslog Agent for Windows and most SIEM devices understand that (and are quite picky about it). My preference to push Windows patterns to use that format as well because of the SIEM factor.
What do others think?
On Wed, 2010-07-28 at 15:09 -0500, Martin Holste wrote:
I've recently started using the great util Eventlog-to-Syslog (http://code.google.com/p/eventlog-to-syslog/) and needed a parser. This pattern should do the job. A word of warning, I opted to go with no program match because I didn't want to write a pattern per event log source, so it's possible this would hit on other log sources. However, in testing, the pattern seems to work well and I haven't gotten any "false" matches. I also gave up trying to parse out the user name as the second param because it isn't always included and the semicolon used as a delimiter regularly shows up naturally in messages. One could write per-event-id message parsers which grabbed all kinds of fields, but this should get the ball rolling to at least grab the event id.
<ruleset name="Windows" id='4'> <!-- no program pattern --> <rules> <rule provider="local" class='Windows' id='4'> <patterns> <pattern>@NUMBER:event_id:@: @ANYSTRING:msg:@</pattern> </patterns> <examples> <example> <test_message program="Service_Control_Manager">7035: NT AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start control.</test_message> <test_values> <test_value name="event_id">7035</test_value> <test_value name="msg">NT AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start control.</test_value> </test_values> </example> <example> <test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message> <test_value name="event_id">1202</test_value> <test_value name="msg">Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_value> </example> </examples> <tags> <tag>Windows</tag> </tags> </rule> </rules> </ruleset> ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html