search

wagga40 / Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
671 stars 91 forks source link

Linux Parsers do not read Logs with Number at End + CSV Seperator Request #64

Closed reece394 closed 1 year ago

reece394 commented 1 year ago

When running Zircolite on a Linux Triage Package it does not parse audit logs with a number at the end. An example of one that does work is audit.log. One that does not work is audit.log.1 however when you add .log to the end for example audit.log.1.log it does work. Could you please add handling of .log.number files to this thanks.

For .csv files could you please add a command line argument to specify the delimiter. I like to have comma separated rather than semi-colon due to automatic parsing by spreadsheet software. Something like --delimiter comma

Additionally I noticed the documentation refers to a .csv template that no longer exists. I got confused when reading it just for your reference in case people try like me to use the csv template instead of --csv

wagga40 commented 1 year ago

Could you please add handling of .log.number files to this thanks.

ok !

For .csv files could you please add a command line argument to specify the delimiter.

ok !

I got confused when reading it just for your reference in case people try like me to use the csv template instead of --csv

You are right I will remove any CSV reference. The template was not a good idea.

wagga40 commented 1 year ago

Hello,

Could you please add handling of .log.number files to this thanks.

I will code something cleaner but you should already be able to do that by using --fileext and providing 'log*'

For .csv files could you please add a command line argument to specify the delimiter.

I have added an --csv-delimiter, I will push code soon

I got confused when reading it just for your reference in case people try like me to use the csv template instead of --csv

Done (I think)

reece394 commented 1 year ago

Thanks I appreciate it!

Could you please add handling of .log.number files to this thanks.

I will code something cleaner but you should already be able to do that by using --fileext and providing 'log*' instead

I didn't even realise fileext could support wildcards. You learn something new every day. Probably would be better to handle it by default though since it is a very common occurrence on Linux and people may be confused by it only processing .log

wagga40 commented 1 year ago

The current version with delimiter support is in the csv-delimiter branch : https://github.com/wagga40/Zircolite/tree/csv-delimiter

Usage : 

python3 zircolite.py -e ./logs/ -r rules.json --fileext 'evtx*' --csv --csv-delimiter "|"

I think I will merge this week end.

wagga40 commented 1 year ago

Everything should be ok in #65. Docs have been updated (I think :))