rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-13 04:50:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
rsyslog/tests/mmsnarewinsec-custom.sh
Andre Lorbach c38783bddf mmsnarewinsec: comprehensive Windows Security Event Log parser 
Implement complete NXLog Snare-formatted Windows Security event parser
with multi-format support (RFC5424/RFC3164), 100+ field patterns, and
advanced features including GUID/IP/timestamp type detection, runtime
configuration, enhanced validation modes, and comprehensive test suite.

Features:
- Parse major Windows security event types (4624, 4625, 4634, etc.)
- Extract structured data into configurable JSON containers (!win default)
- Handle modern Windows telemetry (LAPS, TLS, WDAC, WUFB, Kerberos)
- Type-aware parsing with validation and fallback handling
- Runtime configuration support for custom field patterns
- Thread-safe design with no shared mutable state
- 9 comprehensive test scripts covering all functionality

Impact: Enables structured analysis of Windows Security events for
SIEM integration, threat detection, and compliance reporting while
preserving original payloads for forensic investigation.

Files: contrib/mmsnarewinsec/, tests/mmsnarewinsec-*.sh,
doc/source/configuration/modules/mmsnarewinsec.rst
2025-10-01 12:02:06 +02:00

88 lines
1.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
## Validate custom pattern loading and section detection for mmsnarewinsec.
unset RSYSLOG_DYNNAME
. ${srcdir:=.}/diag.sh init
DEF_FILE="${RSYSLOG_DYNNAME}.defs.json"
cat >"$DEF_FILE" <<'JSON'
{
"sections": [
{
"pattern": "Custom Block*",
"canonical": "CustomBlock",
"behavior": "standard",
"priority": 250,
"sensitivity": "case_insensitive"
}
],
"fields": [
{
"pattern": "CustomEventTag",
"canonical": "CustomEventTag",
"section": "EventData",
"priority": 80,
"value_type": "string"
}
],
"eventFields": [
{
"event_id": 4001,
"patterns": [
{
"pattern": "WidgetID",
"canonical": "WidgetID",
"section": "CustomBlock",
"value_type": "string"
}
]
}
],
"events": [
{
"event_id": 4001,
"category": "Custom",
"subtype": "Injected",
"outcome": "success"
}
]
}
JSON
generate_conf
add_conf '
module(load="../plugins/imtcp/.libs/imtcp")
module(load="../plugins/mmsnarewinsec/.libs/mmsnarewinsec" \
definition.file="'${PWD}/${DEF_FILE}'" \
validation.mode="strict")
template(name="customfmt" type="list") {
property(name="$!win!Event!Category")
constant(value=",")
property(name="$!win!CustomBlock!WidgetID")
constant(value=",")
property(name="$!win!EventData!CustomEventTag")
constant(value=",")
property(name="$!win!Event!Outcome")
constant(value="\n")
}
action(type="mmsnarewinsec")
action(type="omfile" file="'$RSYSLOG_OUT_LOG'" template="customfmt")
input(type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port")
'
startup
assign_tcpflood_port "$RSYSLOG_DYNNAME.tcpflood_port"
tcpflood -m 1 -I "${srcdir}/testsuites/mmsnarewinsec/sample-custom-pattern.data"
shutdown_when_empty
wait_shutdown
content_check ',ZX-42,Demo,success' "$RSYSLOG_OUT_LOG"
rm -f "$DEF_FILE"
exit_test
Reference in New Issue View Git Blame Copy Permalink