Aug 05 2021 01:29 PM
We are having a problem with our log collector setup whereby CEF logs are not being parsed to the right columns. They also repeat in syslog. Firstly can you see anything wrong in the format? Secondly could this be adjusted through a regex? I've seen syslog-ng can do adjustments I think?
Syslog entry
Aug 5 21:26:26 GREMLIN EventsFeederImporter.Host.exe: CEF:1|Panda Security|paps|02.54.00.0000|socket|socket|1|Date=2021-08-05 20:22:48.051462 MachineName=xxxxxx MachineIP=xxxxxxxxxxx User=NT AUTHORITY\\SYSTEM MUID=xxxxxxxxxxxxxxxxxxxxx LocalDateTime=2021-08-05T20:23:43.051+01:00 PandaTimeStatus=2 Protocol=TCP LocalPort=58823 Direction=Up LocalIp=172.16.11.27 Hash=xxxxxxxxxxxxxxxx DriveType=Fixed Path=PROGRAM_FILES_COMMON|\\Microsoft Shared\\ClickToRun\\officesvcmgr.exe Hostname=clients.config.office.net IP=51.11.16.254 Port=443 Times=1 Pid=45490 ValidSig=true Company=Microsoft Corporation Broken=true ImageType=EXE 64 ExeType=Unknown Prevalence=High PrevLastDay=Low Cat=Goodware MWName=
Aug 06 2021 12:44 AM
Aug 06 2021 09:14 AM
So, basically CEF format should be as bellow -
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
In your case im not sure whether Signature ID & Name value are correct or not. because they cant be same .
And yes you can do this adjustment with regex .
Thanks,
Aug 10 2021 04:12 AM
Aug 10 2021 10:23 AM
Aug 13 2021 10:58 AM