Using NxLog with to_syslog_snare() for Windows Events

Post a different question
2
responses

Using NxLog with "EXEC to_syslog_snare();" to output Windows Events. What parser should be used by the Decoder? I thought maybe winevent_snare but maybe it is rhlinux.
Which parser should be used... or should I only care the windows event logs are parsed correctly?

AskedSeptember 18, 2021 - 1:29am

Answer (1)

Hey,

Im not sure if I understand your correctly - what decoders are you asking about?

Best regards,
Raf

AnsweredSeptember 21, 2021 - 8:48am

Comments (1)

  • jwilliams1010's picture

    Hi,

    The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files.

    The LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare.

    My config using the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the collector/decoder.

    The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not.

    Thanks for you assistance,
    Jim

    September 21, 2021 - 4:57pm