[prelude-user] ntsyslog and prelude-lml...
Jaime Ventura
jaimeventura at ipp.pt
Mon Mar 22 17:24:15 CET 2010
I have a server where I have syslog-ng for log storing , in which I have
also a prelude-lml sensor.
Until now, this server was getting linux logs only.
I've decided to send windows logs too.
For that i intalled ntsyslog on the windows tensting machine.
Now, here's the problem. according to the ntsyslog project page and
prelude-lml ruleset, the log format is, for instance:
Oct 18 21:37:34 test1.sabernet.net security[success] Successful Logon:
User Name:Administrator Domain:TEST1 Logon ID:(0x0,0x36D166) Logon
Type:7 Logon Process :User32 Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Work station Name:TEST1
But all I can get is:
Mar 22 15:35:23 windowst1.local NT: <Security;S528;TEST1\Administrator>
Successful Logon: User Name:administrator Domain:TEST1 Logon
ID:(0x0,0x55582E2) Logon Type:10 Logon Process:User32
Authentication Package:Negotiate Workstation Name:windowst1 Logon GUID:
{dacc09ae-b624-c9bc-5c71-a6d3ce767bed} Caller User Name:windowst1$
Caller Domain:TEST1 Caller Logon ID:(0x0,0x3E7) Caller Process ID:
4164 Transited Services: - Source Network Address:windowst1.local
Source Port:4350
I've also tried "Datagram SyslogAgent v3.5" and it seems like it's
formating log lines as ntsyslog.
Does anyone have some kind of experience?
Am I missing something?
Thanks
Jaime
More information about the Prelude-user
mailing list