NetWitness Community

YacineBERREZOUG · ‎2021-01-08

Hello,

I have a parsing issue with the following Linux log :

<37>Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

This log is not matching rhlinux devices type and is parsed as unknown.

By removing syslog PRI in the header :

Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

The log is correctly parsed as rhlinux by header 0016:

<month> <day> <time> <hhost> <messageid>[<process_id>]: <!payload:messageid>"

While a windows log with PRI is correctly parsed as winevent_snare (header 1001) on the same decoder (log file import from GUI for both):

<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

However, 0016 rhlinux and 1001 weinevent_snare headers are similar at the beginning :

--Rhlinux 0016 header content : “<month> <day> <time> <hhost> <messageid>[<process_id>]: <!payload:messageid>"
--Wineventsnare 1001 header content : "<month> <day> <time> <hostname> <log_type>	<criticality>	<msgIdPart1>	<linenum>	<date> <datetime>	<msgIdPart2>	<msgIdPart3>	<!payload:log_type>"

Why winevent_snare 307 with <133> PRI is well parsed and rhlinuxlog with <37> PRI is not ?

Could you please help ?

Thank you in advance.

DaveGlover · ‎2021-01-08

Where are you seeing these parsing errors? The PRI tag is stripped off by the log decoder, it never makes it to the parsing engine. Is this coming through a relay, possibly adding a second PRI tag?

Can I get a little bit more information?

YacineBERREZOUG · ‎2021-01-08

Hello Dave,

Thank you for your answer.

We don't see parsing errors, the log is just not parsed (match unknown device type).

This log is coming through a relay adding this PRI tag and currently it's impossible to access on this relay and remove the tag.

And it seems like the PRI tag is not stripped off by the log decoder.

Thank you,

DaveGlover · ‎2021-01-08

Can you perform a tcpdump -A port 514 and post the results with the linux log on it so I can see exactly what is seen by the NW log collector

Thanks

YacineBERREZOUG · ‎2021-01-08

Below the packet we see with the tcpdump :

[][][10.10.10.10][1622212150][]<37>Jan 6 21:22:30 hostname PAM-unixteam[110242]: pam_sm_close_session(service=crond, terminal=cron, user=xxxx, ruser=UNDEF, rhost=UNDEF)

Thanks

DaveGlover · ‎2021-01-08

I see the issue. You can not use a PRI tag when using the Z-connector header.

Remove the tag

Are you using Rsyslog? If so, I had them add a special function to do this.

Instead of using %rawmsg% use %rawmsg-after-pri% This works in rsyslog version eight and above

YacineBERREZOUG · ‎2021-01-12

Hello Dave,

Thank you for your answer.

I still don't have any way to change syslog configuration.

Do you know why windows log with PRI is well parsed ?

<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

Thanks

NetWitness Community

Linux log with syslog PRI not parsed