[syslog-ng] [SOLVED] Strange issue when forwarding using LEEF template

Pal, Laszlo vlad at vlad.hu
Thu May 28 10:39:50 UTC 2020 

Hi,

I have a strange issue with templates... Maybe some stupid issue on my
side, maybe a bug I don't know

*<spoiler> Solutions at the end of this </spoiler>*

Here is the scenario

Logs coming from Windows using Syslog-ng Agent (syslog destination)
Logs received using latest OSE (but same issues at the customer with PE6)
Logs must be forwarded to Qradar using a special LEEF template like this
(there are also tabs in the template). I've tried both network and syslog
destination

template t_leefwin {
    template("<${PRI}>${BSDDATE} ${HOST}
LEEF:1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|
devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL}
resource=${HOST} usrName=${EVENT_USERNAME} application=${EVENT_SOURCE}
message=${EVENT_MSG}\n");
};

The forwarded results like this
<46> IP-address
LEEF:1.0|Microsoft|Windows|2k8r2||devTime=2020-05-28T09:10:02GMT+02:00
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat= sev= resource=172.17.24.174
usrName= application= message=

So, the $macro-s are empty except the one which is not from .sdata
(resource)

I've created a local json and welf destination and I can see the macros
there

SDATA="[win at 18372.4 EVENT_CATEGORY=\"None\" EVENT_FACILITY=\"16\"
EVENT_ID=\"4098\" EVENT_LEVEL=\"3\" EVENT_NAME=\"Application\"
EVENT_REC_NUM=\"73006\" EVENT_SID=\"S-1-5-18\" EVENT_SID_TYPE=\"User\"
EVENT_SOURCE=\"Group Policy Services\" EVENT_TYPE=\"Figyelmeztetés\"
EVENT_HOST=\"hostname\" EVENT_USERNAME=\"NT AUTHORITY\\\\SYSTEM\"

I remember I used this method years ago to forward logs from syslog-ng
agent to Qradar with proper LEEF format and it was ok... but now, some
small thing is missing

Versions
syslog-ng 3 (3.25.1)
Config version: 3.25
Installer-Version: 3.25.1

But, we have a similar issue with PE6 at the customer

Any idea?

--- so after playing with the welf output a bit, I figured out the short
version of the macro names are not longer working somehow, but the long
ones are ok like this

template t_leefwin {
    template("<${PRI}>${BSDDATE} ${HOST}
LEEF:1.0|Microsoft|Windows|2k8r2|${.SDATA.win at 18372.4.EVENT_ID
}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${.SDATA.win at 18372.4.EVENT_TYPE}
sev=${.SDATA.win at 18372.4.EVENT_LEVEL}
resource=${SDATA.win at 18372.4.EVENT_HOST}
usrName=${.SDATA.win at 18372.4.EVENT_USERNAME}
application=${.SDATA.win at 18372.4.EVENT_SOURCE} message=${MESSAGE}\n");
};



Thanks
L:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200528/2a2e95ae/attachment.html>

More information about the syslog-ng mailing list