Windows Events multi-line
Hello, I'm having problems getting Windows events on a single line on syslog-ng OSE. I've scoured the interwebs and not found what I need to get this exact. I am guessing this is not an uncommon problem but I can't seem to find quite what I need. I am guessing I am just missing some simple thing here. Here are my details. Using syslog-ng OSE 3.9.1 Have syslog-ng Windows Agent 6.0.6 running on Windows 2012 server Have a tcp source and that writes direct to the log file. Works fine with no options set. Getting multiple lines per event. I've added what I think are the correct settings for multi-line, it does not work. I don't think it is the regex syntax, but something else? ___________ Syslog.ng.conf source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp") multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5}\s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})") flags(no-parse)); }; ___________ Here is the error when trying to start syslog-ng or run syslog-ng -s: Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 38, column 76: source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp") multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5}\s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})") flags(no-parse)); }; ^^^^^^^^^^^^^^^ ___________ Sample of the event log part I am matching regex on: Jul 10 12:11:19 x.x.x.x 912 <133>1 2017-07-10T12:11:18-05:00 computername Microsoft_Windows_security_auditing. 6260 - [win@18372.4 EVENT_CATEGORY="Logoff" EVENT_FACILITY="16" EVENT_ID="4634" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="573516592" EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logoff" EVENT_TYPE="Success Audit" EVENT_USERNAME="domain\\userid"][meta sequenceId="10817278" sysUpTime="-198876"] domain\userid: Security Microsoft Windows security auditing.: [Success Audit] An account was logged off.
Hello, Checking your configuration I see that you are using multi-line mode for a network source driver. Unfortunately, currently this is not supported, only the file() and pipe() source drivers support multi-line messages. I have checked the documentation and found that although it is mentioned which source drivers support multi-line mode (under flags option "no-multi-line"), the multi-line-* options are included in the network source driver options page. This is a documentation bug, which will be fixed soon. Sorry for the inconveniences. Best Regards, Gabor On Mon, Jul 10, 2017 at 8:15 PM, Smith, Paul (Sr. Admin-InfoSec) < Paul.C.Smith@snapon.com> wrote:
Hello,
I’m having problems getting Windows events on a single line on syslog-ng OSE. I’ve scoured the interwebs and not found what I need to get this exact. I am guessing this is not an uncommon problem but I can’t seem to find quite what I need. I am guessing I am just missing some simple thing here.
Here are my details.
Using syslog-ng OSE 3.9.1
Have syslog-ng Windows Agent 6.0.6 running on Windows 2012 server
Have a tcp source and that writes direct to the log file. Works fine with no options set.
Getting multiple lines per event.
I’ve added what I think are the correct settings for multi-line, it does not work. I don’t think it is the regex syntax, but something else?
___________
Syslog.ng.conf
source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")
multi-line-mode(regexp)
multi-line-prefix("^[0-9]{3,5} \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][ 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")
flags(no-parse)); };
___________
Here is the error when trying to start syslog-ng or run syslog-ng –s:
Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 38, column 76:
source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp") multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5} \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][ 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})") flags(no-parse)); };
^^^^^^^^^^^^^^^
___________
Sample of the event log part I am matching regex on:
Jul 10 12:11:19 x.x.x.x 912 <133>1 2017-07-10T12:11:18-05:00 computername Microsoft_Windows_security_auditing. 6260 - [win@18372.4 EVENT_CATEGORY="Logoff" EVENT_FACILITY="16" EVENT_ID="4634" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="573516592" EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logoff" EVENT_TYPE="Success Audit" EVENT_USERNAME="domain\\userid"][meta sequenceId="10817278" sysUpTime="-198876"] domain\userid: Security Microsoft Windows security auditing.: [Success Audit] An account was logged off.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Nagy, Gábor
-
Smith, Paul (Sr. Admin-InfoSec)