- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Windows Event logs sending to syslog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We need to send some of the Windows logs to the 3rd party systems. I am able to send the logs to the syslog server but the issue is formatting.. After each line break or tab, our rsyslog add #012 and #015 to the line.
server1.abcd.com svr02 07/03/2019 12:07:17 PM#015#012LogName=Security#015#012SourceName=Microsoft Windows security auditing.#015#012EventCode=4688#015#012EventType=0#015#012Type=Information#015#012ComputerName=svr02.abcd.com#015#012TaskCategory=Process Creation#015#012OpCode=Info#015#012RecordNumber=96425#015#012Keywords=Audit Success#015#012Message=A new process has been created.#015#015#012#015#015#012Creator Subject:#015#015#012#011Security ID:#011#011NT AUTHORITY\SYSTEM#015#015#012#011Account Name:#011#011svr02$#015#015#012#011Account Domain:#011#011abcd#015#015#012#011Logon ID:#011#0110x3E7#015#015#012#015#015#012Target Subject:#015#015#012#011Security ID:#011#011abcd\ssi63#015#015#012#011Account Name:#011#011SSI63#015#015#012#011Account Domain:#011#011abcd#015#015#012#011Logon ID:#011#0110x43E54E2#015#015#012#015#015#012Process Information:#015#015#012#011New Process ID:#011#0110x1a74#015#015#012#011New Process Name:#011C:\Windows\SysWOW64\dllhost.exe#015#015#012#011Token Elevation Type:#011%%1938#015#015#012#011Mandatory Label:#011#011Mandatory Label\Medium Mandatory Level#015#015#012#011Creator Process ID:#0110x2e4#015#015#012#011Creator Process Name:#011C:\Windows\System32\svchost.exe#015#015#012#011Process Command Line:#011#015#015#012#015#015#012Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.#015#015#012#015#015
To over this issue, I have added following in to the props.conf
[default]
SEDCMD-rmlines=s/[\n\r\t]/ /g
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256`
But it added another headache. It added extra space on the Logs and also, my splunk logs has gone for a toss. Not extracting any fields.
Jul 3 13:07:18 server1.abcd.com svr02 07/03/2019 01:39:44 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=svr02.abcd.com TaskCategory=Process Creation OpCode=Info RecordNumber=97156 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: svr02$ Account Domain: abcd Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa18 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a1c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in
On my rsyslog template I have changed $EscapeControlCharactersOnReceive off (from on). But it has cutoff the logs.
Jul 3 13:07:18 server1.abcd.com svr02 07/03/2019 01:39:44 PM
whether anyone has seen similar issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The #015#012 etc. can be fixed by setting $EscapeControlCharactersOnReceive off on the receiving syslog daemon. That would cause it to print those \r\n as what they are: linebreaks. I know recent versions of rsyslog do have some multiline support, so you might want to look into that (but that is probably something you might want to ask to the rsyslog community if you need further help).
Alternatively, you might need to fix this in the 3rd party system that reads the logs, and have that replace the #xxx with the relevant newline/tab characters before processing the events.
Not sure what your intention with that SEDCMD is. I'm actually not sure if that affects logs forwarded to a syslog server, I would expect it doesn't, but not sure. Anyway I wouldn't use that, as it will mess up the logs going into Splunk and prevent properly processing those with the Windows TA.
All in all, this is not really a Splunk question. This is an rsyslog question or a question regarding that 3rd party system that takes these logs from rsyslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The #015#012 etc. can be fixed by setting $EscapeControlCharactersOnReceive off on the receiving syslog daemon. That would cause it to print those \r\n as what they are: linebreaks. I know recent versions of rsyslog do have some multiline support, so you might want to look into that (but that is probably something you might want to ask to the rsyslog community if you need further help).
Alternatively, you might need to fix this in the 3rd party system that reads the logs, and have that replace the #xxx with the relevant newline/tab characters before processing the events.
Not sure what your intention with that SEDCMD is. I'm actually not sure if that affects logs forwarded to a syslog server, I would expect it doesn't, but not sure. Anyway I wouldn't use that, as it will mess up the logs going into Splunk and prevent properly processing those with the Windows TA.
All in all, this is not really a Splunk question. This is an rsyslog question or a question regarding that 3rd party system that takes these logs from rsyslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FrankVI, thanks for your help.. Our Unix team didnt load the module $ModLoad imtcp before enabling this setting $EscapeControlCharactersOnReceive off. I have tried this earlier.. If you can add it as an answer, then i can accept your answer.
Note: For others who are setting up similar thing, by default maxEventSize (outputs.conf) is 1024 and need to change to higher value to say 5000 otherwise the Windows Events will be partial.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK 🙂
Changed my comment to an answer. Glad to hear it helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a bit confused, can you please describe your architecture in a bit more detail? You mention you have issues passing windows logs to a third party syslog server, but then you mention using splunk SEDCMD to fix some of that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FrankVI,
So we are sending logs from Windows UF to our HF. From HF it goes to Indexer and to the 3rd party syslog server.
All these are working fine but the issue is when the log reaches the 3rd syslog server (which is using rsyslog 8.x).
As you are aware, Microsoft logs sent ot as as multi-line events. For some reason at the end of the each line, rsyslog add #015#012 to the logs (as shown in my question). This is creating problem for the 3rd party system to read the logs.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
