NetWitness Community

DaveGlover · ‎2017-01-31

Folks

We have identified and issue when collecting Windows Snare logs Via a VLC. The problem presents itself when you use the default tab delimiter vs the comma delimiter and using a VLC to collect the logs.

There is code in the VLC that converts all tabs to spaces on inbound syslog messages. Once the tab is replaced, the logs no longer parse as the parser is specifically looking for tabs NOT spaces.

The issue does not present itself if you send the logs directly to the log decoder, it is only present when using a VLC.

To correct the issue you must remove the highlighted on the VLC in question prior to enabling sending Snare logs

Hope this helps

Dave

AnujShrivastava · ‎2018-02-07

Hi Dave

i am trying to forward my cisco ASA logs from our Syslog server, as it is getting logs from ASA, i tried below config in my syslog.conf but i am not able to achieve it.

VLC IP: 10.201.12.80

ASA IP: 10.201.3.103

-------------------------------is this correct ?------------------------

$template NWLDfmt,"[][][%10.201.3.103%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"

*.* @@10.201.12.80:514;NWLDfmt

-------------------------------Shall i use it as it is------------------------

$template NWLDfmt,"[][][%FROMHOST-IP%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"

*.* @@10.201.12.80:514;NWLDfmt

i am able to see logs from other syslog sources, but not able to get desired logs.

please Help me.

DaveGlover · ‎2018-02-07

Anuj

What are you seeing coming in?

Can you email me a screen shot or sample?

Secondly you could always swap the tabs for commas in the snare config.

Dave

AnujShrivastava · ‎2018-02-07

only other syslogs from different event sources... like cyberArk

i have also tested cyberark logs those are also syslog types...

14:52:35.010819 IP (tos 0x0, ttl 64, id 50323, offset 0, flags [DF], proto TCP (6), length 40)
st-rsa-vlc.hmgt.net.shell > hmwcybdev01.hmgt.net.64033: Flags [.], cksum 0x068b (correct), ack 85965, win 1264, length 0
14:52:35.028797 IP (tos 0x2,ECT(0), ttl 124, id 13465, offset 0, flags [DF], proto TCP (6), length 400)
hmwcybdev01.hmgt.net.64033 > st-rsa-vlc.hmgt.net.shell: Flags [P.], cksum 0x1940 (correct), seq 85965:86325, ack 1, win 4096, length 360
14:52:35.028805 IP (tos 0x0, ttl 64, id 50324, offset 0, flags [DF], proto TCP (6), length 40)
st-rsa-vlc.hmgt.net.shell > hmwcybdev01.hmgt.net.64033: Flags [.], cksum 0x051f (correct), ack 86325, win 1268, length 0

AnujShrivastava · ‎2018-02-07

this is what I want to achieve------

A cisco asa is sending logs to syslog server, now i want to collect those logs from that syslog server, and i tried your templet but not able to see any logs on my vlc.

VLC IP: 10.201.12.80

ASA IP: 10.201.3.103

which config is correct? config 1 or config 2

-------------------------------Config 1 ------------------------

$template NWLDfmt,"[][][%10.201.3.103%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"

*.* @@10.201.12.80:514;NWLDfmt

-------------------------------Config 2 ------------------------

$template NWLDfmt,"[][][%FROMHOST-IP%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"

*.* @@10.201.12.80:514;NWLDfmt

DaveGlover · ‎2018-02-07

Anuj

What kind of syslog server are you using? The template you are using is geared for Rsyslog. If you are using syslogNG there is a different template to use.

Dave

AnujShrivastava · ‎2018-02-07

its Rsyslog 7.0

KEVINDIENST · ‎2018-02-07

Dave - I ran into this with our Snare agents, I just changed the delimiter format on the Snare agents themselves to account for this instead of change the setting on the VLCs.

Thanks for the post though!

NetWitness Community

Windows Snare Logging Via VLC