[syslog-ng] Pattern for Eventlog-to-Syslog

Balazs Scheidler bazsi at balabit.hu
Sat Jul 31 16:00:09 CEST 2010 

Hi,

Does this use a Snare compatible message format? Since snare is the most
widespread syslog Agent for Windows and most SIEM devices understand
that (and are quite picky about it). My preference to push Windows
patterns to use that format as well because of the SIEM factor.

What do others think?

On Wed, 2010-07-28 at 15:09 -0500, Martin Holste wrote:
> I've recently started using the great util Eventlog-to-Syslog
> (http://code.google.com/p/eventlog-to-syslog/) and needed a parser.
> This pattern should do the job.  A word of warning, I opted to go with
> no program match because I didn't want to write a pattern per event
> log source, so it's possible this would hit on other log sources.
> However, in testing, the pattern seems to work well and I haven't
> gotten any "false" matches.  I also gave up trying to parse out the
> user name as the second param because it isn't always included and the
> semicolon used as a delimiter regularly shows up naturally in
> messages.  One could write per-event-id message parsers which grabbed
> all kinds of fields, but this should get the ball rolling to at least
> grab the event id.
> 
> <ruleset name="Windows" id='4'>
> 	<!-- no program pattern -->
> 	<rules>
> 		<rule provider="local" class='Windows' id='4'>
> 			<patterns>
> 				<pattern>@NUMBER:event_id:@: @ANYSTRING:msg:@</pattern>
> 			</patterns>
> 			<examples>
> 				<example>
> 					<test_message program="Service_Control_Manager">7035: NT
> AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start
> control.</test_message>
> 					<test_values>
> 						<test_value name="event_id">7035</test_value>
> 						<test_value name="msg">NT AUTHORITY\SYSTEM: The COH_Mon service
> was successfully sent a start control.</test_value>
> 					</test_values>
> 				</example>
> 				<example>
> 					<test_message program="SceCli">1202: Security policies were
> propagated with warning. 0x4b8 : An extended error has occurred. For
> best results in resolving this event, log on with a non-administrative
> account and search http://support.microsoft.com for "Troubleshooting
> Event 1202's".</test_message>
> 					<test_value name="event_id">1202</test_value>
> 					<test_value name="msg">Security policies were propagated with
> warning. 0x4b8 : An extended error has occurred. For best results in
> resolving this event, log on with a non-administrative account and
> search http://support.microsoft.com for "Troubleshooting Event
> 1202's".</test_value>
> 				</example>
> 			</examples>
> 			<tags>
> 				<tag>Windows</tag>
> 			</tags>
> 		</rule>
> 	</rules>
> </ruleset>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 

-- 
Bazsi

More information about the syslog-ng mailing list