Logstash to output syslog in Snare format

Ravi342883 · April 27, 2021, 3:26pm

Hi All,

For a PoC portion, I would like to know whether logstash can output the syslogs in Snare format. Any reference?

If anyone has got insights around this, please shed some light here.

Thanks,
Ravi

Husnain · April 27, 2021, 3:44pm

Hii @Ravi342883.You can refer this link.This might help you.

github.com

philhagen/sof-elk/blob/main/configfiles/6010-snare.conf

# SOF-ELK® Configuration File
# (C)2018 Lewes Technology Consulting, LLC
#
# This file contains filters, transforms, and enrichments for Windows Event Log messages sent via the Snare utility

# From: http://www.canopsis.org/windows-eventlog-snare-logstash
#       https://docs.tibco.com/pub/loglogic_universal_collector/2.6.0/doc/html/source/user-guide/concepts/c_event_output_format.html
#Snare event record format
#The format of the event record is as follows:

#| Number | Field | Description |
#|:———–|————:|:————:|
#| 1 | Hostname | The assigned hostname of the machine or the override value entered using the Snare front.
#| 2 | Event Log Type | Fixed value of ‘MSWinEventLog’.
#| 3 | Criticality | This is determined by the Alert level given to the objective by the user and is a number between 0 and 4, as detailed in the registry settings in Appendix B.
#| 4 | SourceName | This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the ‘security’ event log.
#| 5 | Snare Event Counter | Based on the internal Snare event counter. Rotates at ‘MAXDWORD’.
#| 6 | DateTime | This is the date time stamp of the event record.
#| 7 | EventID | This is the Windows Event ID.
#| 8 | SourceName | This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the ‘security’ event log.

This file has been truncated. show original

Ravi342883 · April 27, 2021, 4:01pm

Thanks you @Husnain ..
I think this config file talks about consuming (input) snare format logs, But, I'm looking for other way around (to output snare format).

Syslog -> Snare

Husnain · May 11, 2021, 4:39am

Hii @Ravi342883.Np at all.I hope you will get the solution for this.

Badger · May 11, 2021, 5:10pm

From what I can see, snare is just a set of fields that are tab separated. I think you could do that using a line codec with a format option

output { file { codec => line { format => "%{1stField} %{2ndField}..." ...} ... } }

where the separator in the format option is a tab character.

system · June 8, 2021, 5:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.