1 – Snare Client side : in “Network config”, check you enabled “Enable SYSLOG Header?”.

2 – Rsyslog server side : in /etc/rsyslog.conf, check you have this line :
$EscapeControlCharactersOnReceive on

3 – Loganalyzer : Go in “Admin center” >> “Sources”. And verify that you have selected “Adiscon Winsyslog” (in Logline type)

Then, after a “/etc/init.d/rsyslog restart”, this must be ok.

I have the msgparser installed with the correct name of the file and inside the file. I do not get any errors when starting rsyslog or loganalyzer. I can also click on message parsers from the admin center with no errors.

The problem is that the parser does not seem to be parsing. It seems like anyway i try to enable the parser the logs enter the same way. From no parser to specified. Even if I direclty edit config.php sources or if i do it from admin center and speciry it. It just looks the same always.

Do I have snare incorrectly configured?

http://kb.monitorware.com/snare-msg-parser-t10171.html#p18859

I met an error …
When i put your (wonderful parser file, LogAnalyzer can’t show me the list of parsers… (bug ?)

The error says : “Fatal error: Class ‘MsgParser_eventsnare’ not found in /var/www/loganalyzer/include/functions_config.php on line 243″

So, i made some try, like rename msgparser.iis.class.php in msgparser.iiiiiiiiiis.class.php, by exemple … same error.

It’s like Loganalyzer didn’t find the name of any new parser …

Have you an idea ? I reinstalled all the log system (debian / rsyslog / phplogcon (loganalyzer 3.0)) ..

Thanks

PS : I already wrote a subject on it here :
http://kb.monitorware.com/snare-msg-parser-t10171.html#p18859

Other Question, is it possible to edit the Severity and so on, to get it coloured ? “Success Audit” and “Information” in green and “Warning” in red ? br cnu

Example of one of my own loglines in the logfile:
Feb 12 22:17:53 ARRAKIS MSWinEventLog#0111#011System#011314#011vr feb 12 22:17:45 2010#01185#011SAVOnAccess#011N/A#011N/A#011Error#011ARRAKIS#011None#011#011 File [...\directx.dll.mui]’s scan succeeded following a timeout/busy condition – it is being logged in case it contributed to that condition. Process svchost.exe, (start check timestamp [ 1caac2ad1basehc]). #011113

rsyslog server is configured for windows messages with the line:
:fromhost, startswith, “vu” /var/log/win_eventlog.log

I get the message like this: 2010-02-11T13:00:49+01:00 vuxxxx8 MSWinEventLog 1 Security 489 Thu Feb 11 13:00:26 2010 538 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff User Logoff: #011User Name:#011ANONYMOUS LOGON #011Domain:#011#011NT AUTHORITY #011Logon ID:#011#011(0×0,0×3025986) #011Logon Type:#0113 472
2010-02-11T13:00:49+01:00 vu39198 MSWinEventLog 1 Security 490 Thu Feb 11 13:00:27 2010 540 Security ANONYMOUS LOGON Well Known Group Success Audit vuxxxx8 Logon/Logoff Successful Network Logon: #011User Name:#011 #011Domain:#011#011 #011Logon ID:#011#011(0×0,0×34D6D1C) #011Logon Type:#0113 #011Logon Process:#011NtLmSsp #011Authentication Package:#011NTLM #011Workstation Name:#011 #011Logon GUID:#011- 473

But the complete message is only available in the “Message” column. Nothing in Severity, Eventlog Type and so on. Can you help me ?

Maybe change the delimiter from SNARE ? br cnu