[syslog-ng] Pattern for Eventlog-to-Syslog

Martin Holste mcholste at gmail.com
Sat Jul 31 16:40:20 CEST 2010


No, it definitely doesn't use the Snare format.  I wish it did, as we
have Snare deployed in some places already.  I suppose changing the
output of the message would be an easy thing to add from the code
side.  The reason we've opted to change from Snare to this is because
Snare actually changes group policy objects (GPO) when it is
installed, and in deploying it to thousands of servers, we ran into
issues with the automated install.  It's also a much heavier weight
program than we'd like with its web console, etc.  I could see about
contacting the project lead to see if they would consider adding an
option to Eventlog-to-Syslog for Snare-compatible output format.

On Sat, Jul 31, 2010 at 9:00 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> Hi,
>
> Does this use a Snare compatible message format? Since snare is the most
> widespread syslog Agent for Windows and most SIEM devices understand
> that (and are quite picky about it). My preference to push Windows
> patterns to use that format as well because of the SIEM factor.
>
> What do others think?
>
> On Wed, 2010-07-28 at 15:09 -0500, Martin Holste wrote:
>> I've recently started using the great util Eventlog-to-Syslog
>> (http://code.google.com/p/eventlog-to-syslog/) and needed a parser.
>> This pattern should do the job.  A word of warning, I opted to go with
>> no program match because I didn't want to write a pattern per event
>> log source, so it's possible this would hit on other log sources.
>> However, in testing, the pattern seems to work well and I haven't
>> gotten any "false" matches.  I also gave up trying to parse out the
>> user name as the second param because it isn't always included and the
>> semicolon used as a delimiter regularly shows up naturally in
>> messages.  One could write per-event-id message parsers which grabbed
>> all kinds of fields, but this should get the ball rolling to at least
>> grab the event id.
>>
>> <ruleset name="Windows" id='4'>
>>       <!-- no program pattern -->
>>       <rules>
>>               <rule provider="local" class='Windows' id='4'>
>>                       <patterns>
>>                               <pattern>@NUMBER:event_id:@: @ANYSTRING:msg:@</pattern>
>>                       </patterns>
>>                       <examples>
>>                               <example>
>>                                       <test_message program="Service_Control_Manager">7035: NT
>> AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start
>> control.</test_message>
>>                                       <test_values>
>>                                               <test_value name="event_id">7035</test_value>
>>                                               <test_value name="msg">NT AUTHORITY\SYSTEM: The COH_Mon service
>> was successfully sent a start control.</test_value>
>>                                       </test_values>
>>                               </example>
>>                               <example>
>>                                       <test_message program="SceCli">1202: Security policies were
>> propagated with warning. 0x4b8 : An extended error has occurred. For
>> best results in resolving this event, log on with a non-administrative
>> account and search http://support.microsoft.com for "Troubleshooting
>> Event 1202's".</test_message>
>>                                       <test_value name="event_id">1202</test_value>
>>                                       <test_value name="msg">Security policies were propagated with
>> warning. 0x4b8 : An extended error has occurred. For best results in
>> resolving this event, log on with a non-administrative account and
>> search http://support.microsoft.com for "Troubleshooting Event
>> 1202's".</test_value>
>>                               </example>
>>                       </examples>
>>                       <tags>
>>                               <tag>Windows</tag>
>>                       </tags>
>>               </rule>
>>       </rules>
>> </ruleset>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list