PHPlogcon message parser for SNARE

January 31, 2010 SWAT 8 comments

Lately I have been fiddling around with PHPlogcon. I wanted to consolidate logs from our servers on a single machine, which is a breeze to set up using any standard Linux syslog daemon. Furthermore I wanted a graphical front-end (a website is just fine) to enable access to the logs for the not-so-linux-savvy admins. So PHPlogcon fit the bill perfectly. It supports flat-file logs (yay) and even MySQL.

The Windows servers need an additional piece of software to get it to forward the “Eventlog” messages. The default “Windows Eventlog parser” which is shipped with PHPlogcon only works with a proprietary Windows Eventlog forwarders (Adiscon’s EventReporter and MonitorWare Agent), so I wrote my own parser for the Open Source SNARE Eventlog Agent. (sourceforge)

Just put the parser in classes/msgparsers/msgparser.eventlogsnare.class.php and add something like the this to your configuration file and you are done:

$CFG['Sources']['Source5']['ID'] = 'Source5';
$CFG['Sources']['Source5']['Name'] = 'EventLog';
$CFG['Sources']['Source5']['ViewID'] = 'EVTRPT';
$CFG['Sources']['Source5']['SourceType'] = SOURCE_DISK;
$CFG['Sources']['Source5']['MsgParserList'] = "eventlogsnare";
$CFG['Sources']['Source5']['LogLineType'] = 'winsyslog';
$CFG['Sources']['Source5']['DiskFile'] = '/var/log/win_eventlog.log';

FOSS, Ictivity, Ubuntu-NL, Ubuntu.com none

Comments

Leave a comment Trackback

Written by cnu about 2 years ago.

Hello, I tried your wrapper. But no success . I installed SNARE, and configured our central rsyslog server.

rsyslog server is configured for windows messages with the line:
:fromhost, startswith, “vu” /var/log/win_eventlog.log

I get the message like this: 2010-02-11T13:00:49+01:00 vuxxxx8 MSWinEventLog 1 Security 489 Thu Feb 11 13:00:26 2010 538 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff User Logoff: #011User Name:#011ANONYMOUS LOGON #011Domain:#011#011NT AUTHORITY #011Logon ID:#011#011(0×0,0×3025986) #011Logon Type:#0113 472
2010-02-11T13:00:49+01:00 vu39198 MSWinEventLog 1 Security 490 Thu Feb 11 13:00:27 2010 540 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff Successful Network Logon: #011User Name:#011 #011Domain:#011#011 #011Logon ID:#011#011(0×0,0x34D6D1C) #011Logon Type:#0113 #011Logon Process:#011NtLmSsp #011Authentication Package:#011NTLM #011Workstation Name:#011 #011Logon GUID:#011- 473

But the complete message is only available in the “Message” column. Nothing in Severity, Eventlog Type and so on. Can you help me ?

Maybe change the delimiter from SNARE ? br cnu
Written by SWAT about 2 years ago.

just use a correct facility and priority to send it the logs to a separate logfile, you do not need to add prefixes.

Example of one of my own loglines in the logfile:
Feb 12 22:17:53 ARRAKIS MSWinEventLog#0111#011System#011314#011vr feb 12 22:17:45 2010#01185#011SAVOnAccess#011N/A#011N/A#011Error#011ARRAKIS#011None#011#011 File [...\directx.dll.mui]‘s scan succeeded following a timeout/busy condition – it is being logged in case it contributed to that condition. Process svchost.exe, (start check timestamp [ 1caac2ad1basehc]). #011113
Written by cnu about 2 years ago.

Hello, I made some mistakes. But now it works. Thank You.

Other Question, is it possible to edit the Severity and so on, to get it coloured ? “Success Audit” and “Information” in green and “Warning” in red ? br cnu
Written by Aerlas about 2 years ago.

Hi SWAT !!

I met an error …
When i put your (wonderful parser file, LogAnalyzer can’t show me the list of parsers… (bug ?)

The error says : “Fatal error: Class ‘MsgParser_eventsnare’ not found in /var/www/loganalyzer/include/functions_config.php on line 243″

So, i made some try, like rename msgparser.iis.class.php in msgparser.iiiiiiiiiis.class.php, by exemple … same error.

It’s like Loganalyzer didn’t find the name of any new parser …

Have you an idea ? I reinstalled all the log system (debian / rsyslog / phplogcon (loganalyzer 3.0)) ..

Thanks

PS : I already wrote a subject on it here :
http://kb.monitorware.com/snare-msg-parser-t10171.html#p18859
Written by Aerlas about 2 years ago.

ahaha, the solution was easy … ^^
check the topic, to see it

http://kb.monitorware.com/snare-msg-parser-t10171.html#p18859
Written by Jeff about 2 years ago.

I spent some time trying to get this to work. I have rsyslog dumping to mysql and loganalyzer installed and configured.

I have the msgparser installed with the correct name of the file and inside the file. I do not get any errors when starting rsyslog or loganalyzer. I can also click on message parsers from the admin center with no errors.

The problem is that the parser does not seem to be parsing. It seems like anyway i try to enable the parser the logs enter the same way. From no parser to specified. Even if I direclty edit config.php sources or if i do it from admin center and speciry it. It just looks the same always.

Do I have snare incorrectly configured?
Written by aerlas about 2 years ago.

Hi Jeff !
Maybe it’s too late, but 3 important points to verify :

1 – Snare Client side : in “Network config”, check you enabled “Enable SYSLOG Header?”.

2 – Rsyslog server side : in /etc/rsyslog.conf, check you have this line :
$EscapeControlCharactersOnReceive on

3 – Loganalyzer : Go in “Admin center” >> “Sources”. And verify that you have selected “Adiscon Winsyslog” (in Logline type)

Then, after a “/etc/init.d/rsyslog restart”, this must be ok.
Written by Jeff about 1 year ago.

Thanks for this! Does the parser only work correctly when using a diskfile source for LogAnalyzer or, can a MySQL database be used as the source and still be properly parsed? If so, is there a pointer you could provide, as I am unable to get correctly parsed data while using a MySQL database as the source for LogAnalyzer.

Cheers

Leave a Comment

Previous Post Next Post

Lifestream

Apple's iPhone has a similar vendor lock-in as RIM's Blackberry. When my (data) provider fails, I switch (data) provider. I have an Android [swat]

— October 12th via Identi.ca
Not liking the 'new' Mozilla Firefox version numbering. Waiting for Firefox (20)11... [swat]

— October 12th via Identi.ca

Various

Categories