Yacine BERREZOUG

Linux log with syslog PRI not parsed

Discussion created by Yacine BERREZOUG on Jan 8, 2021
Latest reply on Jan 12, 2021 by Yacine BERREZOUG

Hello,

 

I have a parsing issue with the following Linux log :

<37>Jan  4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

This log is not matching rhlinux devices type and is parsed as unknown.

By removing syslog PRI in the header :

Jan  4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)

The log is correctly parsed as rhlinux by header 0016: 

&lt;month&gt; &lt;day&gt; &lt;time&gt; &lt;hhost&gt; &lt;messageid&gt;[&lt;process_id&gt;]: &lt;!payload:messageid&gt;"

 

While a windows log with PRI is correctly parsed as winevent_snare (header 1001) on the same decoder (log file import from GUI for both):

<133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing …..

However, 0016 rhlinux and 1001 weinevent_snare headers are similar at the beginning :

--Rhlinux 0016 header content : “&lt;month&gt; &lt;day&gt; &lt;time&gt; &lt;hhost&gt; &lt;messageid&gt;[&lt;process_id&gt;]: &lt;!payload:messageid&gt;"
--Wineventsnare 1001 header content : "&lt;month&gt; &lt;day&gt; &lt;time&gt; &lt;hostname&gt; &lt;log_type&gt;&#009;&lt;criticality&gt;&#009;&lt;msgIdPart1&gt;&#009;&lt;linenum&gt;&#009;&lt;date&gt; &lt;datetime&gt;&#009;&lt;msgIdPart2&gt;&#009;&lt;msgIdPart3&gt;&#009;&lt;!payload:log_type&gt;"

 

Why winevent_snare 307 with <133> PRI is well parsed and rhlinuxlog with <37> PRI is not ?

Could you please help ?

 

Thank you in advance.

 

Outcomes