rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-18 19:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
rsyslog/tests/testsuites/sample.pmsnare_modoverride
Shane Lawrence ed5ea46a65 Fix mangled pmsnare messages when tabs not escaped.
2017-06-05 11:44:11 -04:00

54 lines
16 KiB
Plaintext
Raw Blame History

# sample.pmsnare_modoverride
# These are sample events from several source types, and their expected results with the pmsnare module
# when global settings are overridden. The input has been manipulated, as this feature is intended to
# accommodate cases where input was already escaped elsewhere.
#
# Format for expect is:
# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
#
# Citrix NetScaler
<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
#
# Cisco IOS-XE
<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
#
# Cisco ASA
<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
#
# VMware
<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
#
# Unix
<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
#
# NXLog Snare
<14>May 21 12:00:01 hostname MSWinEventLog\\0111\\011N/A\\011113977\\011Sun May 21 12:00:01.123\\011N/A\\011nxlog\\011N/A\\011N/A\\011N/A\\011hostname\\011N/A\\011\\011reconnecting to agent manager in 200 seconds\\011N/A
14,user,info,MSWinEventLog,MSWinEventLog, 1\\011N/A\\011113977\\011Sun May 21 12:00:01.123\\011N/A\\011nxlog\\011N/A\\011N/A\\011N/A\\011hostname\\011N/A\\011\\011reconnecting to agent manager in 200 seconds\\011N/A
#
# Snare
<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0\\011-0000000000
14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0\\011-0000000000
<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0113\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed. Account Information: Security ID: 0x000000000 Account Name: first.last Service Information: Service Name: first.last Network Information: Client Address: ::ffff:192.168.0.11 Client Port: 59355 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
14,user,info,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed. Account Information: Security ID: 0x000000000 Account Name: first.last Service Information: Service Name: first.last Network Information: Client Address: ::ffff:192.168.0.11 Client Port: 59355 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
#
# Snare (no syslog header)
hostname.domain\\011MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
hostname.domain\\011MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0\\011-0000000000
13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0\\011-0000000000
hostname.domain\\011MSWinEventLog\\0113\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed. Account Information: Security ID: 0x000000000 Account Name: first.last Service Information: Service Name: first.last Network Information: Client Address: ::ffff:192.168.0.11 Client Port: 59355 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
13,user,notice,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed. Account Information: Security ID: 0x000000000 Account Name: first.last Service Information: Service Name: first.last Network Information: Client Address: ::ffff:192.168.0.11 Client Port: 59355 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
Reference in New Issue View Git Blame Copy Permalink