[To_syslog_snare] - Error with SnareCounter max limitation

Hello guys,

I have a WEC serveur with the last version of Nxlog installed on it. I forward these logs to a Qradar SIEM with the to_syslog_snare(); function in the output module. Everything is working fine in QRadar and the parsing is good.

But when the SnareCounter value exceeds 9999999 in the log, I saw a "Tab" or a "space" and my log is not parsing well anymore in my QRadar. This modification appear between the SnareCounter and the Date value

AskedNovember 25, 2021 - 11:07am

Log collection from changing file names

I have logs that I need to collect with NxLog, these logs are in a .log file that has a name format [YYYY]_[MM]_[DD].request.log
The log file name changes every day and if the logs roll over during the day they will be named with .request#.log

I need to capture [YYYY]-[MM]_[DD].request.log for the current date

AskedNovember 19, 2021 - 2:36am

How to figure out what event types to filter in im_maculs

I've been tasked to roll out nxlog on all of our Macs. I have it working in the sense that logs are being uploaded to our syslog server.

However I've been given a list from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/best-practices-for-macos-logging-monitoring and told to implement it.

AskedNovember 18, 2021 - 6:21pm

Dynamic Directory

It is possible to create dynamic directories per host

I would like to separate all logs by host then year then month day

I can create dynamic file names base on hostname
+ $Hostname + "_" + month(now())

Thank you

AskedNovember 12, 2021 - 10:13pm

Replace Information in Logline with external Information


i have the following problem and no Idea how to solve it:

I have a Logline from our VPN Server which looks like this:
2021-11-11 16-56-00, connect, PartnerIP=, VPNIP=, User="Computername.Domain.de"

My Problem is, that our SIEM System does not accept Computer Accounts for VPN Connections. It only allows User Accounts. Thats why i need to transform it into:

AskedNovember 11, 2021 - 5:04pm