Security

 View Only
  • 1.  Delimiting in Syslog Export Filters

    Posted Oct 11, 2017 06:05 PM

    I did a quick (but not thorough) search before creating the topic. If this has already been discussed, I apologize.

     

    Is there any way to change the actual formatting of the syslog events generated by the export filters? I've been experimenting with the various filter types, and the logs generated by the 'session' template don't appear to be well delimited.

     

    In the example below you can see that the various attributes are comma-delimited. However the multi-valued attributes ( like roles and enforcement-profiles ) use commas within the attribute to seperate values. This makes the logs really frustrating to parse, and I'd like to change the delimiting if possible.

     

    2017-10-11T17:43:12-04:00 cppm.vt.edu 2017-10-11 17:43:12,396 192.0.2.0 session_logs_example 2 1 0 Common.Username=johndoe@vt.edu,Common.Service=MAC - Aruba,Common.Roles=nonsponsored_guest, [User Authenticated],Common.Enforcement-Profiles=[Allow Access Profile], update_nonsponsored_guest, update_from_endpoint,Common.Host-MAC-Address=b853ac61f40e,Common.NAS-IP-Address=192.0.1.0,Common.Request-Timestamp=2017-10-11 17:42:59-04,Common.Login-Status=ACCEPT



  • 2.  RE: Delimiting in Syslog Export Filters
    Best Answer

    Posted Oct 11, 2017 06:53 PM

    No, but you can try using CEF or LEEF formatted messages to see if that works better for you.



  • 3.  RE: Delimiting in Syslog Export Filters

    Posted Oct 13, 2017 03:41 PM

    I opted to try the 'Insight' templates instead, which appear to be better delimited. If this doesn't work out for us, I'll explore the CEF/LEEF options.

     

    Thanks for the assistance