Hi,
I have windows XML logs in input of my Heavy Forwarder (via the universal forwarder with the TA_windows).
When I send this event through Syslog I can see that some events split due to the carriage return.
Exemple:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-03-10T16:15:47.000184600Z'/><EventRecordID>157445</EventRecordID><Correlation/><Execution ProcessID='516' ThreadID='2448'/><Channel>Security</Channel><Computer>MININT-5B0409J.test.lan</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>MININT-5B0409J$</Data><Data Name='SubjectDomainName'>TEST</Data><Data Name='SubjectLogonId'>0x1bda93a</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege</Data></EventData></Event>
My syslog message looks like this:
<13> MININT-5B0409J <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-03-10T16:15:47.000184600Z'/><EventRecordID>157445</EventRecordID><Correlation/><Execution ProcessID='516' ThreadID='2448'/><Channel>Security</Channel><Computer>MININT-5B0409J.test.lan</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>MININT-5B0409J$</Data><Data Name='SubjectDomainName'>TEST</Data><Data Name='SubjectLogonId'>0x1bda93a</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
Here is the conf I use:
props.conf
[host::MININT*]
TRANSFORMS-orano = windows-compagny
MAX_TIMESTAMP_LOOKAHEAD = 16
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <Event xmlns
LINE_BREAKER = ([\r\n]+)(?=<Event xmlns)
transforms.conf
[windows-compagny]
REGEX = .
#REGEX = <Event ((\S|\s)*?)<\/Event>
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_data
outputs.conf
[syslog:syslog_data]
maxEventSize = 9999999
server = 192.168.1.10:515
type = tcp
If someone got an idea.
Thanks in advance.
... View more