This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-12-19 09:18 AM

Adiscon Event Reporter and Hyper-V

Hi, I am having a problem configuring Adiscon Event Reporter to send Hyper-V logs to enVision.
enVision receives the Hyper-V messages but messages are not parsed and they are going to class undefined.

I have tested following compinations:


Adiscon Syslog processing: Use legacy RFC 3164 processing Adiscon

Message format: [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Message in enVision: Dec 01 10:17:10 DOMAIN-machine1.domain.local EvntSLog: [Error] 2011-12-01 08:17:11: NT AUTHORITY\NETWORK SERVICE/DOMAIN-machine1.domain.local/Microsoft-Windows-Hyper-V-VMMS (16370) - "'DC21' cannot create the storage required for the snapshot D:\Virtual\DC0_D938D5C8-539E-447B-8F99-A89C8028EC5E.avhd: The system cannot find the file specified. (0x80070002). (Virtual machine ID 7DCCBC24-8586-40D7-AG9F-8A3211F7319925)"

------------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of

-----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string

-----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: [%level%] %timegenerated:::uxTimeStamp%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and second time is in unix format

----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated:::uxTimeStamp%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string and second time is in unix format

--------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated% %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string and : removed after "timegenerated" variable.


None of these have resulted that the enVision has been able to parse the message!!
Could someone help me with this.

Server: Windows2008R2
Log: Hyper-V Adiscon
version: Adiscon Event Reporet 12.0

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2011-12-22 11:31 AM

What version of Event Reporter are you using?

 

This looks to be an bug in the winevent_er xml. The headers do not support the format outlined in the configuration document. The issue is with the prepended syslog header as defined by RFC 3164. The XML is not expecting date-time hostname .... I will have this fixed in ESU.

 

In the meantime, Event Reporter configuration might be able to solve this issue.

 

Try...

 

Adiscon Syslog processing: Use Custom Syslog header: leave this blank.

Adiscon Message format: [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

 

I think the events would come out with no syslog header and message in correct format.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.