Hi David,
How do you apply a template to the Windows rsyslog client?
I can try attaching screenshots here that might help. A good example is see how I have assigned syslogprocid to %processid%. This seems to work and it pulls out the windows process id. Just struggling on the structured data section.
Anyway here are some more screenshots, and let me know about how to apply a debug template.
Kind regards,
James
[cid:E9ABC4D3-1FE4-4159-85B2-F8A49E57B08B-L0-001][cid:DA69B241-1A9A-4120-97DB-046E7558891D-L0-001][cid:5BEF8496-E79E-491A-9F87-D66F315894D8-L0-001][cid:FAF78AF9-20A2-4945-8E36-2271201B5F9B-L0-001][cid:2B6856B7-63FB-4A14-8315-98FF37D51CA7-L0-001][cid:1C83FDB0-6494-41B5-9CF7-87C3E2E3D64B-L0-001]
Sent from my iPhone
On 5 May 2021, at 11:03 am, David Lang <david@lang.hm> wrote:
?could you write the lot message on the windows machine with the template RSYSLOG_DebugFormat so that we can see what all the variables are and their contents?
you can't set the default properties, you would need to set a variable like $!structured_data and use that in the template.
but it's possible that something is different in the windows build.
David Lang
On Wed, 5 May 2021, James Ward-Smith wrote:
Date: Wed, 5 May 2021 00:50:18 +0000
From: James Ward-Smith <james.wardsmith@hotmail.com>
To: David Lang <david@lang.hm>
Cc: James Ward-Smith via rsyslog <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Structured Data in Windows Event
Hi David,
This is what I have currently:
[cid:E41A41F3-BA3F-4831-803D-5A1B3835C4A2-L0-001]
But I have tried setting it as:
%rawevent%
%raw_event%
%xml%
%rawxml%
%event%
%structureddata%
%structured-data%
Kind regards,
James
Sent from my iPhone
On 5 May 2021, at 10:47 am, David Lang <david@lang.hm> wrote:
?what is the config that sets the structured data?
David Lang
On Wed, 5 May 2021, James Ward-Smith wrote:
Date: Wed, 5 May 2021 00:18:42 +0000
From: James Ward-Smith <james.wardsmith@hotmail.com>
To: David Lang <david@lang.hm>
Cc: James Ward-Smith via rsyslog <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Structured Data in Windows Event
Hi,
We are have got rsyslog windows agent 7.0 installed, and are trying to send windows event logs e.g. successful log offs to a Linux machine in a particular format.
I have attached images of the custom syslog header we are using, and images of the resulting syslog that seems to completely ignore the structured data section.
Kind regards,
James
Sent from my iPhone
On 5 May 2021, at 10:16 am, James Ward-Smith <james.wardsmith@hotmail.com> wrote:
?
On 5 May 2021, at 10:02 am, David Lang <david@lang.hm> wrote:
?what software are you using to send the windows event data?
can you show us an example of a log that's not working? (what the rawmsg looks like)
David Lang
On Tue, 4 May 2021, James Ward-Smith via rsyslog wrote:
Hi,
We are using a custom syslog header to parse Windows Events into syslog format, but it does not seem to be picking up the structured data.
In our custom syslog header, we have referenced %syslogstructdata% and we are trying to set a property so that syslogstructdata is equal to the structured XML of the windows event. We are unable to get this to come through and can only get it if we use logpoint SIEM JSON format.
<image6.jpeg>
<image8.jpeg>
Kind regards,
James
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
<image0.jpeg>