Forum Discussion
Cannot get CommonSecurityLog Events to show in Sentinel "pattern not match"
- May 03, 2019
SOLUTION:
The pattern that it is matching to is defined in the security_events.conf under:
/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source><filter oms.security.**>
type filter_syslog_security
</filter>This regex string needs to match the message that you are seeing in the log. In my case the pid grouping did not match and that was causing the error. Once you get the string that I have bolded above to match your message then that will clear the error.
NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.
Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow
Follow on question, where does the omsagent pull the data from, If I tail the logs on my rsyslog solution the structure is entirely different than what I am seeing in the omsagent logs.
If I modify the structure on the Syslog source I see it reflected on the rsyslog solution but not in the omsagent. Is there a template for structuring data going to Sentinel?