Hi All
We fail to convert to LEEF, so we tried using CEF.
The source of the problem seems to be related to the format of the source
file, that is in CSV file on filesystem, where the data are written.
With the CSV as source file and CEF Rule set imported we obtain this:
Oct 6 16:24:15 Server1 refername:
CEF:0|adiscon|rsyslogwindowsagent|5.0|Eventlog||10|cat= suser= cs1=
*msg=id"-1"*,"LaUser","1.1.1.1","POST","496","1499","fqdn","/amb/connect","OBSERVED","","1601992067","2020-10-06
13:47:47","https","Business, Software/Hardware","text/plain","","Minimal
Risk","FCB - permitted mime
types","200","IpAddress","","","IE","","Mozilla/5.0 (Windows NT 10.0;
WOW64; Trident/7.0; rv:11.0) like Gecko"
The problem is that the destination SIEM can't parse the payload because
it is all after msd=id"-1" without the pair Field Data. We would solve this
and obtain this type of output:
Oct 6 16:24:15 Server1 refername:
CEF:0|adiscon|rsyslogwindowsagent|5.0|Eventlog||10|act=OBSERVED src=1.1.1.1
suser=LaUser start:2020 10 06 13:47:47 requestMethod=POST requestClient
Application=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko request=
https://fqdn/amb/connect Consider that we are using Rsyslog for windows.
Do you have any suggestions on how to do it?
*Fabio Danìa*
Information & Communication Technology
Authentication & Network services
*On behalf of** FCA Item*
Corso Luigi Settembrini 167, Ingresso 19
10135 Torino – ITALY
On Fri, Oct 9, 2020 at 12:11 PM Fabio Dania <
fabio.dania@external.fcagroup.com> wrote:
> Thanks a Lot to all
>
> We have import the ruleset successfully
> Now we try to convert\modify the CEF to LEEF
>
>
> *Fabio Danìa*
>
> Information & Communication Technology
>
> Authentication & Network services
>
>
>
> *On behalf of** FCA Item*
>
> Corso Luigi Settembrini 167, Ingresso 19
>
> 10135 Torino – ITALY
>
>
> On Tue, Oct 6, 2020 at 12:45 PM Andre Lorbach via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> Hi Fabio,
>>
>> There is no direct support to automatically convert messages into LEEF
>> Format but usually we can build almost any format using our property
>> engine.
>> In the past, I have created a ruleset for RSyslog Windows Agent, that
>> outputs a propper CEF Formatted message which looks very similar to LEEF
>> Format.
>> You can download it from here:
>> https://download.adiscon.com/configs/ruleset-cef-format.cfg
>>
>> It helps you get started somewhere and I can help you adapt it to LEEF if
>> needed.
>>
>> Best regards,
>> Andre Lorbach
>> --
>> Adiscon GmbH
>> Mozartstr. 21
>> 97950 Großrinderfeld, Germany
>> Ph. +49-9349-9298530
>> Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
>> 560610
>> Ust.-IDNr.: DE 81 22 04 622
>> Web: www.adiscon.com - Mail: info@adiscon.com
>>
>> Informations regarding your data privacy policy can be found here:
>> https://www.adiscon.com/data-privacy-policy/
>>
>> This e-mail may contain confidential and/or privileged information. If you
>> are not the intended recipient or have received this e-mail in error
>> please
>> notify the sender immediately and delete this e-mail. Any unauthorized
>> copying, disclosure or distribution of the material in this e-mail is
>> strictly forbidden.
>>
>> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>> vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
>> Weitergabe dieser E-Mail sind nicht gestattet.
>>
>>
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Fabio
>> > Dania via rsyslog
>> > Gesendet: Montag, 5. Oktober 2020 18:22
>> > An: rsyslog@lists.adiscon.com
>> > Cc: Fabio Dania <fabio.dania@external.fcagroup.com>
>> > Betreff: [rsyslog] Request information LEEF Format
>> >
>> > Hi All
>> > We have this version of rsyslog on a windows machine.
>> >
>> > Client Version 6.2.0.284
>> > Service Version 6.2.0.209
>> >
>> > We need to know if it's possible using the LEEF format (instead CEEF) to
>> > send
>> > logs to remote syslog server.
>> > From documentation seems that LEEF is not mentioned Is there a way to
>> use
>> > this format with rsyslog ?
>> >
>> > Thanks in advance
>> >
>> > *Fabio Danìa*
>> >
>> > Information & Communication Technology
>> >
>> > Authentication & Network services
>> >
>> >
>> >
>> > *On behalf of** FCA Item*
>> >
>> > Corso Luigi Settembrini 167, Ingresso 19
>> >
>> > 10135 Torino – ITALY
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
>> > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>> > beyond
>> > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.