1
response

I am using a config of
Output syslog1>
Module om_tcp
Host syslog.server.name
Port 6514
Exec to_syslog_ietf();
OutputType Syslog_TLS
</Output>

and a source of

<Input eventlog_application>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
</Query>\
</QueryList>
<Exec>
$Message = 'EventID[' + $EventID + '] Log[' + $Channel + '] Type[' + $EventType + '] Domain[' + $Domain + '] User[' + $AccountName + '] ' + $Message;
$SyslogFacilityValue = 3;
</Exec>
</Input>

but when the message arrives as the syslog server the ident field does NOT include the PID. I expaect something like

SourceName[PID]: the text of the message

but what I get is

SourceName: the text of the message

How can I get the PID of the SourceName?

AskedAugust 21, 2018 - 3:45am

Answer (1)

There was a clash with the Sysmon generated Process Id. The field was renamed to ExecutionProcessID recently so that the name would follow what event viewer shows. I believe this is now causing the regression you are seeing since to_syslog_*() expects ProcessID.

A remedy would be:

rename_field($ExecutionProcessID, $ProcessID);

A bit of caution is required if you use Sysmon.