search

SafeAF / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Error parsing snare logs #20

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Snare logs send to syslog
2.
3.

What do you see instead?

in node.log:
* ERROR [2012/04/30 14:04:14] /srv/syslogdata/elsa/node/elsa.pl (219) 
main::_process_batch 2920 Unable to parse valid class id from log line 
1335783854 10.30.4.19     AD-2.tacs.local    Security      unknown  Apr 30 
14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success 
Audit|AD-2.tacs.local|None||An account was logged off.    Subject:   Security 
ID:  S-1-5-21-212409339-82824776-3791047695-1127   Account Name:  opennms   
Account Domain:  TACS   Logon ID:  0x91366d0    Logon Type:   3    This event 
is generated when a logon session is destroyed. It may be positively correlated 
with a logon event using the Logon ID value. Logon IDs are only unique between 
reboots on the same computer.|240487                                            
                                                .  Only parsed into:
$VAR1 = [
          '1335783854',
          '10.30.4.19',
          'AD-2.tacs.local',
          'Security',
          'unknown',
          'Apr 30 14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success Audit|AD-2.pacs.local|None||An account was logged off.    Subject:   Security ID:  S-1-5-21-212409339-82824776-3791047695-1127   Account Name:  opennms   Account Domain:  TACS   Logon ID:  0x91366d0    Logon Type:   3    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.|240487 '
        ];

SVN checkout of ELSA.
syslog-ng 3.3.5

On what operating system?
Debian Squeeze

All snare logs are getting this error in node.log

Original issue reported on code.google.com by thana...@gmail.com on 30 Apr 2012 at 11:08

GoogleCodeExporter commented 9 years ago 
Sorry to hear of your issues!  Snare normally works without any changes to 
ELSA, so I'm wondering if you've made any modifications to the ELSA config 
files or are not using the stock ones.  Have you made any changes to the 
standard Snare config on the clients?  It may also be a case in which a 
hostname or something is breaking the parser.  Can you paste in a sanitized raw 
syslog line as it looks on the wire?  An easy way to get that is to create a 
file destination in syslog-ng that writes to /tmp/test.log or something and 
don't run any parsers on it.  Let me know if you need any assistance on that.

Original comment by mchol...@gmail.com on 30 Apr 2012 at 1:52

GoogleCodeExporter commented 9 years ago 
Hi,
I replaced this with evtlog2syslog daemon and log are parsed correctly now
will try to replicate another machine to give u the info...

regards,
thanasys

Original comment by thana...@gmail.com on 14 May 2012 at 12:41

GoogleCodeExporter commented 9 years ago 
Closing until I hear back.

Original comment by mchol...@gmail.com on 31 May 2012 at 2:44