sending txt logs to a remote server using snare do not show logs content

Tags: snare | logs files

#1 eebs

#Hello, tanks in advance . #I am sending multiple logs from windows server to a linux collector #I have no issues with windows system logs , #Seems i can not send via snare windows system logs, and test plain text logs. #Is there any way to do that?

But when i switch to snare i can see no description about the warning 2022-10-21T09:21:21+00:00 Winserver MSWinEventLog#0111#011N/A#0111#011Fri Oct 21 09:21:21 2022#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011#011N/A#011N/A#015

The same line with snare commented: 2022-10-21T09:18:23.208210+00:00 Winserver WARNING: Can't open file \?\C:...\UPPS\UPPS.BIN: Permission denied#015

#My config:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\App\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Input internal> Module im_internal Exec $Hostname = hostname_fqdn(); </Input>

<Input vistalog> Module im_msvistalog </Input>

<Input eventlog> Module im_mseventlog </Input>

<Input testFile> Module im_file SavePos True RenameCheck True Recursive True PollInterval 0.5 #near real time File "C:\test\myfile.txt" ReadFromLast True </Input>

<Output out> Module om_tcp Host linux Port 514 #Exec to_syslog_snare(); </Output>

<Route r>

Path internal, eventlog, vistalog, testFile => out

Path testFile => out </Route>

#2 jeffron Nxlog ✓
#1 eebs
#Hello, tanks in advance . #I am sending multiple logs from windows server to a linux collector #I have no issues with windows system logs , #Seems i can not send via snare windows system logs, and test plain text logs. #Is there any way to do that? But when i switch to snare i can see no description about the warning 2022-10-21T09:21:21+00:00 Winserver MSWinEventLog#0111#011N/A#0111#011Fri Oct 21 09:21:21 2022#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011#011N/A#011N/A#015 The same line with snare commented: 2022-10-21T09:18:23.208210+00:00 Winserver WARNING: Can't open file \?\C:...\UPPS\UPPS.BIN: Permission denied#015 #My config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\App\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Input internal> Module im_internal Exec $Hostname = hostname_fqdn(); </Input> <Input vistalog> Module im_msvistalog </Input> <Input eventlog> Module im_mseventlog </Input> <Input testFile> Module im_file SavePos True RenameCheck True Recursive True PollInterval 0.5 #near real time File "C:\test\myfile.txt" ReadFromLast True </Input> <Output out> Module om_tcp Host linux Port 514 #Exec to_syslog_snare(); </Output> <Route r> Path internal, eventlog, vistalog, testFile => out Path testFile => out </Route>

Hi Ed,

it seems you are using the wrong procedure call to convert to Syslog snare. Kindly test this configuration.

 <Output out>
     Module om_tcp
     Host linux:514
     Exec to_snare();
</Output>

I hope this helps.

Jeffron