Home > FOSS, Ubuntu-NL, Ubuntu.com > PHPlogcon message parser for SNARE

PHPlogcon message parser for SNARE

January 31st, 2010
Goto comments Leave a comment

Lately I have been fiddling around with PHPlogcon. I wanted to consolidate logs from our servers on a single machine, which is a breeze to set up using any standard Linux syslog daemon. Furthermore I wanted a graphical front-end (a website is just fine) to enable access to the logs for the not-so-linux-savvy admins. So PHPlogcon fit the bill perfectly. It supports flat-file logs (yay) and even MySQL.

The Windows servers need an additional piece of software to get it to forward the “Eventlog” messages. The default “Windows Eventlog parser” which is shipped with PHPlogcon only works with a proprietary Windows Eventlog forwarders (Adiscon’s EventReporter and MonitorWare Agent), so I wrote my own parser for the Open Source SNARE Eventlog Agent. (sourceforge)

Just put the parser in classes/msgparsers/msgparser.eventlogsnare.class.php and add something like the this to your configuration file and you are done:

$CFG['Sources']['Source5']['ID'] = 'Source5';
$CFG['Sources']['Source5']['Name'] = 'EventLog';
$CFG['Sources']['Source5']['ViewID'] = 'EVTRPT';
$CFG['Sources']['Source5']['SourceType'] = SOURCE_DISK;
$CFG['Sources']['Source5']['MsgParserList'] = "eventlogsnare";
$CFG['Sources']['Source5']['LogLineType'] = 'winsyslog';
$CFG['Sources']['Source5']['DiskFile'] = '/var/log/win_eventlog.log';

FOSS, Ubuntu-NL, Ubuntu.com

  1. cnu
    February 11th, 2010 at 13:19 | #1
    Reply | Quote

    Hello, I tried your wrapper. But no success :-(. I installed SNARE, and configured our central rsyslog server.

    rsyslog server is configured for windows messages with the line:
    :fromhost, startswith, “vu” /var/log/win_eventlog.log

    I get the message like this: 2010-02-11T13:00:49+01:00 vuxxxx8 MSWinEventLog 1 Security 489 Thu Feb 11 13:00:26 2010 538 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff User Logoff: #011User Name:#011ANONYMOUS LOGON #011Domain:#011#011NT AUTHORITY #011Logon ID:#011#011(0×0,0×3025986) #011Logon Type:#0113 472
    2010-02-11T13:00:49+01:00 vu39198 MSWinEventLog 1 Security 490 Thu Feb 11 13:00:27 2010 540 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff Successful Network Logon: #011User Name:#011 #011Domain:#011#011 #011Logon ID:#011#011(0×0,0×34D6D1C) #011Logon Type:#0113 #011Logon Process:#011NtLmSsp #011Authentication Package:#011NTLM #011Workstation Name:#011 #011Logon GUID:#011- 473

    But the complete message is only available in the “Message” column. Nothing in Severity, Eventlog Type and so on. Can you help me ?

    Maybe change the delimiter from SNARE ? br cnu

  2. SWAT
    February 12th, 2010 at 23:23 | #2
    Reply | Quote

    just use a correct facility and priority to send it the logs to a separate logfile, you do not need to add prefixes.

    Example of one of my own loglines in the logfile:
    Feb 12 22:17:53 ARRAKIS MSWinEventLog#0111#011System#011314#011vr feb 12 22:17:45 2010#01185#011SAVOnAccess#011N/A#011N/A#011Error#011ARRAKIS#011None#011#011 File [...\directx.dll.mui]’s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process svchost.exe, (start check timestamp [ 1caac2ad1basehc]). #011113

  3. cnu
    February 25th, 2010 at 11:41 | #3
    Reply | Quote

    Hello, I made some mistakes. But now it works. Thank You.

    Other Question, is it possible to edit the Severity and so on, to get it coloured ? “Success Audit” and “Information” in green and “Warning” in red ? br cnu

  1. No trackbacks yet.