[syslog-ng] Windows Events multi-line

Tue Jul 25 21:37:25 UTC 2017

Hi,

Actually the network() driver you have configured uses the RFC3164 protocol
which uses single line for each messages.
Using the syslog() driver with the IETF syslog protocol on both sender and
receiver side, it is possible to accept windows multiline logs and you
don't have to configure multiline-* options at all.

Regards,
Gergely

On Thu, Jul 13, 2017 at 4:23 PM Smith, Paul (Sr. Admin-InfoSec) <
Paul.C.Smith at snapon.com> wrote:

> Hi Nagy,
>
> Thanks for checking that. That was probably one of the reasons it did not
> work. That is too bad since Windows servers using the syslog-ng agent are
> the source. I would have thought that would be working since bot products
> are from Balabit. Windows logs also send a lot of garbage with Information
> lines that it would also be good to remove since that is just going to fill
> up the log files with junk. I am getting 8-10 gigs per day from a single
> Windows Domain Controller and I need to add in about 25 more. The log file
> would be immense.
>
> I tested out using the syslog driver and was poking around with the
> multi-line-prefix and multi-line-garbage and they don't give any syntax
> errors, as long as I don't use the multi-line-mode option. Does syslog-ng
> ignore these options if the multi-line-mode option is not specified?
> Basically, do all the multi-line-xxx options not work like this?
>
> It seems like the only option that works for syslog or network is the
> flags(no-multi-line) flag.
>
> Is that the case?
>
> Are there any other alternatives? I would hate to write the syslogs to a
> file and then parse that file again to get the logs I want. That is double
> work for the server. But that seems like that might be the only option I
> have.
>
> Hmmm...maybe I can log to a VM syslog-ng and have that one parse the data
> first using the file driver and then I can relay to my main systems.
>
> Paul C Smith
>
>
> -----Original Message-----
> From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of
> syslog-ng-request at lists.balabit.hu
> Sent: Thursday, July 13, 2017 7:00 AM
> To: syslog-ng at lists.balabit.hu
> Subject: syslog-ng Digest, Vol 147, Issue 14
>
> Send syslog-ng mailing list submissions to
>         syslog-ng at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
>         syslog-ng-request at lists.balabit.hu
>
> You can reach the person managing the list at
>         syslog-ng-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
>    1. Re:  Windows Events multi-line (Nagy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Jul 2017 10:50:03 +0200
> From: Nagy, Gábor <gabor.nagy at balabit.com>
> To: "Syslog-ng users' and developers' mailing list"
>         <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Windows Events multi-line
> Message-ID:
>         <
> CAETAYnCft3KAyWF_5pB3g4+jodrn6+SpXTYJqqyfnFoUFzzaEw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Checking your configuration I see that you are using multi-line mode for a
> network source driver.
> Unfortunately, currently this is not supported, only the file() and pipe()
> source drivers support multi-line messages.
>
> I have checked the documentation and found that although it is mentioned
> which source drivers support multi-line mode (under flags option
> "no-multi-line"), the multi-line-* options are included in the network
> source driver options page.
> This is a documentation bug, which will be fixed soon. Sorry for the
> inconveniences.
>
> Best Regards,
> Gabor
>
> On Mon, Jul 10, 2017 at 8:15 PM, Smith, Paul (Sr. Admin-InfoSec) <
> Paul.C.Smith at snapon.com> wrote:
>
> > Hello,
> >
> >
> >
> > I’m having problems getting Windows events on a single line on
> > syslog-ng OSE. I’ve scoured the interwebs and not found what I need to
> > get this exact. I am guessing this is not an uncommon problem but I
> > can’t seem to find quite what I need. I am guessing I am just missing
> > some simple thing here.
> >
> >
> >
> > Here are my details.
> >
> >
> >
> > Using syslog-ng OSE 3.9.1
> >
> >
> >
> > Have syslog-ng Windows Agent 6.0.6 running on Windows 2012 server
> >
> >
> >
> > Have a tcp source and that writes direct to the log file. Works fine
> > with no options set.
> >
> >
> >
> > Getting multiple lines per event.
> >
> >
> >
> > I’ve added what I think are the correct settings for multi-line, it
> > does not work. I don’t think it is the regex syntax, but something else?
> >
> >
> >
> > ___________
> >
> > Syslog.ng.conf
> >
> >
> >
> > source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")
> >
> >                               multi-line-mode(regexp)
> >
> >                               multi-line-prefix("^[0-9]{3,5}
> > \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][
> > 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")
> >
> >                               flags(no-parse)); };
> >
> >
> >
> > ___________
> >
> > Here is the error when trying to start syslog-ng or run syslog-ng –s:
> >
> >
> >
> > Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER,
> > expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or
> > KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 38, column 76:
> >
> >
> >
> > source s_nettcp_win { network(ip(x.x.x.x) port(601) transport("tcp")
> > multi-line-mode(regexp) multi-line-prefix("^[0-9]{3,5}
> > \s<[0-9]{2,3}>1\s([0-9]{4})-(0[1-9]|1[0-2])-(0[1-9]|[1-2][
> > 0-9]|3[0-1])T([0-9]{2}:[0-9]{2}:[0-9]{2}-[0-9]{2}:[0-9]{2})")
> > flags(no-parse)); };
> >
> >
> > ^^^^^^^^^^^^^^^
> >
> > ___________
> >
> > Sample of the event log part I am matching regex on:
> >
> >
> >
> > Jul 10 12:11:19 x.x.x.x 912 <133>1 2017-07-10T12:11:18-05:00
> > computername Microsoft_Windows_security_auditing. 6260 - [win at 18372.4
> > EVENT_CATEGORY="Logoff" EVENT_FACILITY="16" EVENT_ID="4634"
> EVENT_LEVEL="0"
> > EVENT_NAME="Security" EVENT_REC_NUM="573516592" EVENT_SID="N/A"
> > EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logoff"
> > EVENT_TYPE="Success Audit" EVENT_USERNAME="domain\\userid"][meta
> > sequenceId="10817278" sysUpTime="-198876"] domain\userid: Security
> > Microsoft Windows security auditing.: [Success Audit] An account was
> > logged off.
> >
> >
> >
> > ____________________________________________________________
> > __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?
> > product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170713/826dd963/attachment-0001.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> ------------------------------
>
> End of syslog-ng Digest, Vol 147, Issue 14
> ******************************************
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> --

*Gergely Bodnar* | syslog-ng Product Owner
gergely.bodnar at balabit.com
follow Balabit on: web <http://go.balabit.com/F9ZZ500bh0U013LX000VAE5> |
blog <http://go.balabit.com/VZZi000AL90V300U55X1cE0> | linkedin
<http://go.balabit.com/CZ100j0d50LU0EAZ3X09V05>| facebook
<http://go.balabit.com/I090eUZ0551kEA3X0L0ZV00> | twitter
<http://go.balabit.com/c0503X1U05EZ09AVl0ZfL00>

*© BalaBit Corp.* Weiser Mazars 135 West 50th Street New York, NY 10020 USA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170725/d61f2c80/attachment-0001.html>