Replace Information in Logline with external Information

#1 MarkusH 2 years ago

Hello,

i have the following problem and no Idea how to solve it:

I have a Logline from our VPN Server which looks like this: 2021-11-11 16-56-00, connect, PartnerIP=1.1.1.1, VPNIP=172.16.123.123, User="Computername.Domain.de"

My Problem is, that our SIEM System does not accept Computer Accounts for VPN Connections. It only allows User Accounts. Thats why i need to transform it into:

2021-11-11 16-56-00, connect, PartnerIP=1.1.1.1, VPNIP=172.16.123.123, User="Username@Domain.de"

The connection between Computer and User is stored in a MS SQL Database or in a CSV/TXT File.

Is it possible to replace the Computer Entry with the corresponding Username and then send it to a Syslog server? I did not found a possibility to load something like a key-Value List.

Permalink

#2 KlevinDeactivated Nxlog ✓ 2 years ago

#1 MarkusH

Hello, i have the following problem and no Idea how to solve it: I have a Logline from our VPN Server which looks like this: 2021-11-11 16-56-00, connect, PartnerIP=1.1.1.1, VPNIP=172.16.123.123, User="Computername.Domain.de" My Problem is, that our SIEM System does not accept Computer Accounts for VPN Connections. It only allows User Accounts. Thats why i need to transform it into: 2021-11-11 16-56-00, connect, PartnerIP=1.1.1.1, VPNIP=172.16.123.123, User="Username@Domain.de" The connection between Computer and User is stored in a MS SQL Database or in a CSV/TXT File. Is it possible to replace the Computer Entry with the corresponding Username and then send it to a Syslog server? I did not found a possibility to load something like a key-Value List.

Hello Sir,

You can read the csv / txt file , use regex to parse the vpn username to find the specific line, after that you can re-use regex not to get the vpn user but the username you need on that line.

Sincerely Klevin