This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-07-15 10:13 AM

Trouble parsing application log comming with snare

Hi,

 

My colleague is having trouble with parsing aswell. We have an application running on a Windows box sending it's logs in the same syslog stream as snare.

 

He ran a sendunknown_messages and used the unx file in esi to parse the logs. yet again, esi parsing fine, but enVision doesn't seem to parse. The device was also typed as a multidevice, so he made a new event source but that didn't help aswell. Again, the ese scheme is the same as the enVision scheme, they have had the same ESU installed.

 

Are more people experiencing these issues and could you check what's wrong?

winevent_snare.unknown.20110714.zip
0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2011-07-15 02:15 PM

The messages in the unx file don't look like Windows messages.  I would think the do come up as undefined.  I take it that you used ESI and created a device XML for the application that is running on the Windows server.  If so, you should post your device XML and then I could inject it and see if it is getting discovered properly.

 

Also, remember that when you select Multi-Device, many times you get one device listed as unknown that will have messages that are undefined.  In this case, it looks like the undefined messages are with the Application not with Windows.

 

Paul

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-18 04:02 AM

Hi paul,

 

That's what I said, the application log is not parsing and the unx file contains those logs. The device is being recognised as Windows snare just fine and the application logs come out as unknown messages. We just edited the snare file and added our own xml definitions for the application log. Both the log and that xml file should be in the zip.

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-19 08:57 AM

Hi Paul,

I am the colleague, who has issues with parsing the application log. My profile is now updated, so i can post and view other things on the web-site.

Arvind
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-19 11:16 AM

Great...have you tried injecting the log data for the application rather than having the client send it through SNARE?

 

If you inject the data and the device gets discovered properly, it might have something to do with sending the log in the same "stream" as you are sending the Windows logs.

 

Paul

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-19 04:13 PM

Gents,

 

You may have added some messages, but there are no headers in the XML that match any of the logs, so these will definitely be undefined.  The ESI tool is showing me exactly zero matches on anything as a result.

 

You are going to need to add another header tag and probably tweak the message tags you added to make this work correctly.

 

Matt

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-20 09:49 AM

It might be easier to approach this a little differently...Have you tried to just write a separate device XML for your application?  Unless you need to "save" on device count, it would probably be better for tracking purposes to have a separate device for the application.  However, if you want to combine it with Windows SNARE, then I would suggest developing a separate XML, make sure it works...then add the header and messages to the Windows SNARE XML. 

 

Regards,

 

Paul

 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.