4
responses

Hello,

The documentation about the support of SNARE format (https://nxlog.co/documentation/nxlog-user-guide/snare.html) describes how the account name should be passed.

However, the function to_syslog_snare(), puts N/A in that field instead of the username in the Windows event. This happens both in the example output (https://nxlog.co/documentation/nxlog-user-guide/snare.html#generating-snare) and with the latest nxlog community edition. Is this a bug or a paying feature of the enterprise edition?

Sincerely

AskedJanuary 14, 2020 - 5:45pm

Answer (1)

It puts the $AccountName field there which likely does not have a value, thus the N/A.

Comments (3)

  • richard_lewis's picture

    I have the same problem, and worked around it for $AccountName by using $AccountName = $SubjectUserName; to_syslog_snare(); to make my Windows 2012 logs generate the correct Snare output (at least for that one field) I haven't found a workaround for $AccountType though, and this also comes through as N/A. So did you guys find a fix for this? My instinct is that im_msvistalog is the problem here, and is maybe misparsing or looking for fields which are no longer in use in the Windows event, and failing to fill $AccountName and possibly $AccountType correctly. I did force $AccountName to be included in my logs and it turned out to be a large integer rather than a name.