Syslog Format

Support, Questions and Discussions on EventReporter

Moderator: alorbach

Google Ads


Syslog Format

Postby cprados » Fri Apr 17, 2009 9:54 am

Hi all,

I use "Snare Client" to send syslog to a "Cisco Mars" appliance and all runs ok...

and now i´m testing event reporter but I have a problem with the format that sends event reporter...

This is the output of "Snare Client syslog"
Code: Select all
<13>Apr 16 16:27:54 10.10.XXX.XXX MSWinEventLog 1 Security 20 Thu Apr 16 16:27:54 2009 680 Security SYSTEM User Failure Audit XXXXXX-LWS8W8 Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: abc Source Workstation: XXXXXX-LWS8W8 Error Code: 0xC0000064 0


This is the output of "Event Reporter syslog"
Code: Select all
<132>Apr 16 16:38:25 XXXXXX-LWS8W8 EvntSLog: [AUF] Thu Apr 16 23:38:25 2009: XXXXXX-LWS8W8/Security (680) - "Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: abc Source Workstation: XXXXXX-LWS8W8 Error Code: 0xC0000064 "


I modify the output of "Event Reporter" sending it with "Kiwi Syslog" adding parts of the output "Snare" to work
Code: Select all
<132>Apr 16 16:27:54 XXXXXX-LWS8W8 MSWinEventLog 1 Security 20 Thu Apr 16 23:38:25 2009 680 Security Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: abc Source Workstation: XXXXXX-LWS8W8 Error Code:  0xC0000064



Is there some way in "Event Reporter" to bring the event to "Cisco Mars" like above code?

Thanks!
cprados
New
 
Posts: 1
Joined: Fri Apr 17, 2009 9:33 am

Re: Syslog Format

Postby alorbach » Mon Apr 27, 2009 10:45 am

Hi cprados,

I am sorry for the delayed response. Please use support@adiscon.com in future to get faster response rather then the forums.
You can try to rebuild the snare format using the property engine EventReporter uses. In order to help you, I will need to know what each part of the snare output exactly means.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Google Ads



Return to EventReporter

Who is online

Users browsing this forum: No registered users and 0 guests

cron