Windows eventlog message fail to include a PID in the syslog header.

#1 erempel 5 years ago

I am using a config of Output syslog1> Module om_tcp Host syslog.server.name Port 6514 Exec to_syslog_ietf(); OutputType Syslog_TLS </Output>

and a source of

<Input eventlog_application> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
</Query>
</QueryList> <Exec> $Message = 'EventID[' + $EventID + '] Log[' + $Channel + '] Type[' + $EventType + '] Domain[' + $Domain + '] User[' + $AccountName + '] ' + $Message; $SyslogFacilityValue = 3; </Exec> </Input>

but when the message arrives as the syslog server the ident field does NOT include the PID. I expaect something like

SourceName[PID]: the text of the message

but what I get is

SourceName: the text of the message

How can I get the PID of the SourceName?

Permalink

#2 b0ti Nxlog ✓ 5 years ago

#1 erempel

I am using a config of Output syslog1> Module om_tcp Host syslog.server.name Port 6514 Exec to_syslog_ietf(); OutputType Syslog_TLS </Output> and a source of <Input eventlog_application> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application">*</Select> </Query> </QueryList> <Exec> $Message = 'EventID[' + $EventID + '] Log[' + $Channel + '] Type[' + $EventType + '] Domain[' + $Domain + '] User[' + $AccountName + '] ' + $Message; $SyslogFacilityValue = 3; </Exec> </Input> but when the message arrives as the syslog server the ident field does NOT include the PID. I expaect something like SourceName[PID]: the text of the message but what I get is SourceName: the text of the message How can I get the PID of the SourceName?

There was a clash with the Sysmon generated Process Id. The field was renamed to ExecutionProcessID recently so that the name would follow what event viewer shows. I believe this is now causing the regression you are seeing since to_syslog_*() expects ProcessID.

A remedy would be:

rename_field($ExecutionProcessID, $ProcessID);

A bit of caution is required if you use Sysmon.