Linux log with syslog PRI not parsed

Discussion created by Yacine BERREZOUG on Jan 8, 2021
Latest reply on Jan 12, 2021 by Yacine BERREZOUG

Like • Show 0 Likes0
Comment • 6

Hello,

I have a parsing issue with the following Linux log :

<37>Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

This log is not matching rhlinux devices type and is parsed as unknown.

By removing syslog PRI in the header :

Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

The log is correctly parsed as rhlinux by header 0016:

<month> <day> <time> <hhost> <messageid>[<process_id>]: <!payload:messageid>"

While a windows log with PRI is correctly parsed as winevent_snare (header 1001) on the same decoder (log file import from GUI for both):

<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

However, 0016 rhlinux and 1001 weinevent_snare headers are similar at the beginning :

--Rhlinux 0016 header content : “<month> <day> <time> <hhost> <messageid>[<process_id>]: <!payload:messageid>"
--Wineventsnare 1001 header content : "<month> <day> <time> <hostname> <log_type>	<criticality>	<msgIdPart1>	<linenum>	<date> <datetime>	<msgIdPart2>	<msgIdPart3>	<!payload:log_type>"

Why winevent_snare 307 with <133> PRI is well parsed and rhlinuxlog with <37> PRI is not ?

Could you please help ?

Thank you in advance.

Outcomes

Dave Glover

Jan 8, 2021 5:50 AM

Where are you seeing these parsing errors? The PRI tag is stripped off by the log decoder, it never makes it to the parsing engine. Is this coming through a relay, possibly adding a second PRI tag?

Can I get a little bit more information?

Actions

Yacine BERREZOUG Jan 8, 2021 6:20 AM

Hello Dave,

Thank you for your answer.

We don't see parsing errors, the log is just not parsed (match unknown device type).

This log is coming through a relay adding this PRI tag and currently it's impossible to access on this relay and remove the tag.

And it seems like the PRI tag is not stripped off by the log decoder.

Thank you,

Actions

Dave Glover

@ Yacine BERREZOUG on Jan 8, 2021 7:34 AM

Can you perform a tcpdump -A port 514 and post the results with the linux log on it so I can see exactly what is seen by the NW log collector

Thanks

Actions

Yacine BERREZOUG Jan 8, 2021 8:29 AM

Below the packet we see with the tcpdump :

[][][10.10.10.10][1622212150][]<37>Jan 6 21:22:30 hostname PAM-unixteam[110242]: pam_sm_close_session(service=crond, terminal=cron, user=xxxx, ruser=UNDEF, rhost=UNDEF)

Thanks

Actions

Dave Glover

@ Yacine BERREZOUG on Jan 8, 2021 8:40 AM

I see the issue. You can not use a PRI tag when using the Z-connector header.

Remove the tag

Are you using Rsyslog? If so, I had them add a special function to do this.

Instead of using %rawmsg% use %rawmsg-after-pri% This works in rsyslog version eight and above

Actions

Yacine BERREZOUG Jan 12, 2021 5:30 AM

Hello Dave,

Thank you for your answer.

I still don't have any way to change syslog configuration.

Do you know why windows log with PRI is well parsed ?

<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

Thanks

Actions

6 Replies

Dave Glover Jan 8, 2021 5:50 AM
Where are you seeing these parsing errors? The PRI tag is stripped off by the log decoder, it never makes it to the parsing engine. Is this coming through a relay, possibly adding a second PRI tag?

Can I get a little bit more information?
Like • Show 0 Likes0
Actions
Yacine BERREZOUG Jan 8, 2021 6:20 AM
Hello Dave,
Thank you for your answer.

We don't see parsing errors, the log is just not parsed (match unknown device type).
This log is coming through a relay adding this PRI tag and currently it's impossible to access on this relay and remove the tag.
And it seems like the PRI tag is not stripped off by the log decoder.

Thank you,
Like • Show 0 Likes0
Actions
- Dave Glover @ Yacine BERREZOUG on Jan 8, 2021 7:34 AM
  Can you perform a tcpdump -A port 514 and post the results with the linux log on it so I can see exactly what is seen by the NW log collector
  
  Thanks
  Like • Show 0 Likes0
  Actions
Yacine BERREZOUG Jan 8, 2021 8:29 AM
Below the packet we see with the tcpdump :
[][][10.10.10.10][1622212150][]<37>Jan 6 21:22:30 hostname PAM-unixteam[110242]: pam_sm_close_session(service=crond, terminal=cron, user=xxxx, ruser=UNDEF, rhost=UNDEF)

Thanks
Like • Show 0 Likes0
Actions
- Dave Glover @ Yacine BERREZOUG on Jan 8, 2021 8:40 AM
  I see the issue. You can not use a PRI tag when using the Z-connector header.
  
  Remove the tag
  
  Are you using Rsyslog? If so, I had them add a special function to do this.
  
  Instead of using %rawmsg% use %rawmsg-after-pri% This works in rsyslog version eight and above
  Like • Show 0 Likes0
  Actions
Yacine BERREZOUG Jan 12, 2021 5:30 AM
Hello Dave,

Thank you for your answer.
I still don't have any way to change syslog configuration.
Do you know why windows log with PRI is well parsed ?
<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

Thanks
Like • Show 0 Likes0
Actions

Linux log with syslog PRI not parsed

Outcomes

Related Content

Recommended Content