Forum Discussion
Cannot get CommonSecurityLog Events to show in Sentinel "pattern not match"
- May 03, 2019
SOLUTION:
The pattern that it is matching to is defined in the security_events.conf under:
/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source><filter oms.security.**>
type filter_syslog_security
</filter>This regex string needs to match the message that you are seeing in the log. In my case the pid grouping did not match and that was causing the error. Once you get the string that I have bolded above to match your message then that will clear the error.
NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.
Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow
SOLUTION:
The pattern that it is matching to is defined in the security_events.conf under:
/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
This regex string needs to match the message that you are seeing in the log. In my case the pid grouping did not match and that was causing the error. Once you get the string that I have bolded above to match your message then that will clear the error.
NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.
Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'
What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow
- Miguel_KulisicMay 28, 2019Former Employee
James_Stutes I was struggling with the same error. I went through the code and there are only two idents it will take (for two of the appliances). I got rid of this error by changing the type from "filter_syslog_security" to "filter_syslog".
- FahadAhmedNov 09, 2021Brass Contributorare there any implications of changing "filter_syslog_security" to "filter_syslog", specially doing it to remove warning messages for Cisco ASA??