[syslog-ng] Syslog-ng and NetSkope JSON logs

Garcia, Julio (InfoSec) julgarcia at corelogic.com
Thu Dec 20 19:34:18 UTC 2018 

I'm now getting the logs in json format  but it's all under MESSAGE.



Outgoing message; message='{"SOURCE":"s_netskope","PROGRAM":"{\"count\"","MESSAGE":"1, \"supporting_data\": {\"data_values\": [\"Logged out due to inactivity\"], \"data_type\": \"reason\"}, \"organization_unit\": \"XXXXX.XXX/XXXXX/Domain Users/Enterprise Users\", \"severity_level\": 2, \"category\": null, \"timestamp\": 1545331339, \"_insertion_epoch_timestamp\": 1545331340, \"ccl\": \"unknown\", \"user\": \"XXXXX at XXXX.com\", \"audit_log_event\": \"Logout Successful\", \"ur_normalized\": \"XXXXXXX at corelogic.com\", \"_id\": \"c57a37f48db4fa7ca3bef23c\", \"type\": \"admin_audit_logs\", \"appcategory\": null}","LEGACY_MSGHDR":"{\"count\": ","HOST_FROM":"X.X.X.X","HOST":"X.X.X.X"}\x0a'





[cid:image001.png at 01D49857.F13E0FA0]



Thank you,



Julio Garcia

Pro, Information Security Engineer

CoreLogic



Direct (949) 214-1284

Mobile (714) 474-5254

julgarcia at corelogic.com



corelogic.com <http://www.corelogic.com/> |  Blog <http://www.corelogic.com/blog/default.aspx>

LinkedIn <http://www.linkedin.com/company/corelogic>  |  Twitter <http://twitter.com/corelogicinc> |  Facebook <http://www.facebook.com/CoreLogic>  |  Google+ <https://plus.google.com/114618839782139347829>



Our Vision: Deliver unique property-level insights that power the global real estate economy



On 12/20/18, 6:56 AM, "syslog-ng on behalf of Fabien Wernli" <syslog-ng-bounces at lists.balabit.hu on behalf of wernli at in2p3.fr> wrote:



    [External Content] This message is from an external source. Please exercise caution when opening attachments or links.



    Hi Julio,



    If you want to format your logs in JSON, you need to configure the

    destination accordingly. For instance:



        destination d_netskope {

          file(

            "/data/log/syslog/netskope/$HOST/$YEAR-$MONTH-$DAY-netskope.log"

            template("$(format-json -s nv-pairs)\n")

          );

        };



    ______________________________________________________________________________

    Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng

    Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng

    FAQ: http://www.balabit.com/wiki/syslog-ng-faq




****************************************************************************************** 
This message may contain confidential or proprietary information intended only for the use of the 
addressee(s) named above or may contain information that is legally privileged. If you are 
not the intended addressee, or the person responsible for delivering it to the intended addressee, 
you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
prohibited. If you have received this message by mistake, please immediately notify us by  
replying to the message and delete the original message and any copies immediately thereafter. 

Thank you. 
****************************************************************************************** 
CLLD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181220/b9f4f82a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 80196 bytes
Desc: image001.png
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181220/b9f4f82a/attachment-0001.png>

More information about the syslog-ng mailing list