MicrosoftMicrosoftOfer_Shezaf going back to the dual CEF/Syslog server. How should the configuration files look? (assuming rsyslog)
security-config-omsagent.conf - should they have both entries for syslog / cef?
local4.debug @127.0.0.1:25226 (should this be over 25224 for syslog?)
:rawmsg, regex, "CEF\|ASA" ~
*.* @@127.0.0.1:25226"
security_events.conf - should this have both entries for syslog / cef as well?'
syslog:
<source>
type syslog
port 25224
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>
cef:
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
Thanks in advance,
Chi
