Forum Discussion

Copper Contributor

Apr 30, 2019

Solved

Cannot get CommonSecurityLog Events to show in Sentinel "pattern not match"

There is a thread similar to this question but the other thread is specific to Fortinet. I am building an integration with Sentinel and we have a product that generates Syslog messages under the ...

James_Stutes
May 03, 2019
SOLUTION:
The pattern that it is matching to is defined in the security_events.conf under:
/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>

<filter oms.security.**>
type filter_syslog_security
</filter>

This regex string needs to match the message that you are seeing in the log. In my case the pid grouping did not match and that was causing the error. Once you get the string that I have bolded above to match your message then that will clear the error.
NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.

Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'

What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow

James_Stutes

Copper Contributor

May 03, 2019

SOLUTION:

The pattern that it is matching to is defined in the security_events.conf under:

/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>

<filter oms.security.**>
type filter_syslog_security
</filter>

This regex string needs to match the message that you are seeing in the log. In my case the pid grouping did not match and that was causing the error. Once you get the string that I have bolded above to match your message then that will clear the error.

NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.

Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'

What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow

Miguel_Kulisic
Former Employee
May 28, 2019
James_Stutes I was struggling with the same error. I went through the code and there are only two idents it will take (for two of the appliances). I got rid of this error by changing the type from "filter_syslog_security" to "filter_syslog".
- FahadAhmed
  Brass Contributor
  Nov 09, 2021
  are there any implications of changing "filter_syslog_security" to "filter_syslog", specially doing it to remove warning messages for Cisco ASA??