Grok Filter
Posted: Tue May 24, 2016 10:05 am
Hi Guys,
I'm currently trying to work out if its possible to break down data from a forwarded syslog file? Am I correct you can use a grok filter to do is?
We have Alienvault forwarding OSSEC logs to Nagios Log server. Here is the format of the 'message' that is received by Nagios log server
I'd like to have fields for hostname, IP, username if possible? I know NXLOG does an amazing job of doing all of this but management want to use alienvault/ossec and don't want multiple agents on servers
I'm currently trying to work out if its possible to break down data from a forwarded syslog file? Am I correct you can use a grok filter to do is?
We have Alienvault forwarding OSSEC logs to Nagios Log server. Here is the format of the 'message' that is received by Nagios log server
Code: Select all
AV - Alert - "1464101661" --> RID: "18107"; RL: "3"; RG: "windows,authentication_success,"; RC: "Windows Logon Success."; USER: "CS728164$"; SRCIP: "None"; HOSTNAME: "(wxapssccmp02) 172.31.85.20->WinEvtLog"; LOCATION: "(wxapssccmp02) 172.31.85.20->WinEvtLog"; EVENT: "[INIT]2016 May 24 15:54:24 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: CS728164$: WWCORP: WXAPSSCCMP02.wwcorp.ad.com: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-2620467932-2985055717-1971156654-35314 Account Name: CS728164$ Account Domain: WWCORP Logon ID: 0x39c93d0b Logon GUID: {FC27F335-2FC6-ED5B-4900-B7F72E732058} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: 192.168.177.14 Source Port: 53463 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. [END]";