Forum Discussion

James_Stutes's avatar
James_Stutes
Copper Contributor
Apr 30, 2019
Solved

Cannot get CommonSecurityLog Events to show in Sentinel "pattern not match"

There is a thread similar to this question but the other thread is specific to Fortinet.   I am building an integration with Sentinel and we have a product that generates Syslog messages under the ...
  • James_Stutes's avatar
    May 03, 2019

    SOLUTION:

    The pattern that it is matching to is defined in the security_events.conf under:

    /etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d

     

    <source>
        type syslog
        port 25226
        bind 127.0.0.1
        protocol_type udp
        tag oms.security
        format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
        message_length_limit 4096
    </source>

     

    <filter oms.security.**>
        type filter_syslog_security
    </filter>

     

    This regex string needs to match the message that you are seeing in the log.  In my case the pid grouping did not match and that was causing the error.  Once you get the string that I have bolded above to match your message then that will clear the error.

    NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.

     

    Now I am onto the next error:
    [warn]: Failed to find data type for record with ident: 'Cyber-Ark'

     

    What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow

     

Resources