mirror of
https://github.com/rsyslog/rsyslog.git
synced 2026-06-19 18:42:59 +02:00
b3a124b0ae
Rename the Snare Windows Security parser module from "mmsnarewinsec" to "mmsnareparse" for clearer naming and consistency with other parser modules. Update code identifiers, build system, docs, tests, CI flags, and paths accordingly. What changed - MODULE_CNFNAME set to "mmsnareparse"; default macro renamed - Log/error/debug tags updated to "mmsnareparse" - plugins/mmsnarewinsec/* moved to plugins/mmsnareparse/* - configure.ac: - add --enable-mmsnareparse - AM_CONDITIONAL(ENABLE_MMSNAREPARSE) - AC_CONFIG_FILES now includes plugins/mmsnareparse/Makefile - Makefile.am subdir switch to plugins/mmsnareparse - Tests renamed and updated (scripts and testsuites directory) - Docs page renamed and examples updated - CI workflow uses --enable-mmsnareparse - Rebase to main; resolved configure.ac conflict Impact - Backwards-incompatible module name and configure flag changes. Migration - Config: module(load="mmsnareparse"), action(type="mmsnareparse") - Build: use --enable-mmsnareparse Co-authored-by: alorbach <alorbach@adiscon.com>
47 lines
1.4 KiB
Bash
Executable File
47 lines
1.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# Validate mmsnareparse when receiving raw syslog messages over TCP.
|
|
unset RSYSLOG_DYNNAME
|
|
. ${srcdir:=.}/diag.sh init
|
|
|
|
generate_conf
|
|
add_conf '
|
|
module(load="../plugins/imtcp/.libs/imtcp")
|
|
module(load="../plugins/mmsnareparse/.libs/mmsnareparse")
|
|
|
|
template(name="outfmt" type="list") {
|
|
property(name="$!win!Event!EventID")
|
|
constant(value=",")
|
|
property(name="$!win!Event!Channel")
|
|
constant(value=",")
|
|
property(name="$!win!Event!EventType")
|
|
constant(value=",")
|
|
property(name="$!win!Event!CategoryText")
|
|
constant(value=",")
|
|
property(name="$!win!Event!Computer")
|
|
constant(value="\n")
|
|
}
|
|
|
|
ruleset(name="winsec") {
|
|
action(type="mmsnareparse")
|
|
action(type="omfile" file="'$RSYSLOG_OUT_LOG'" template="outfmt")
|
|
}
|
|
|
|
input(type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" ruleset="winsec")
|
|
'
|
|
|
|
startup
|
|
assign_tcpflood_port $RSYSLOG_DYNNAME.tcpflood_port
|
|
cat "$srcdir/testsuites/mmsnareparse/sample-windows2022-security.data" \
|
|
"$srcdir/testsuites/mmsnareparse/sample-windows2025-security.data" \
|
|
> ${RSYSLOG_DYNNAME}.payload
|
|
tcpflood -m 1 -I ${RSYSLOG_DYNNAME}.payload
|
|
rm -f ${RSYSLOG_DYNNAME}.payload
|
|
|
|
shutdown_when_empty
|
|
wait_shutdown
|
|
|
|
content_check '4608,Security,Success Audit,Security State Change,WIN-5SB1I3G0V7U' $RSYSLOG_OUT_LOG
|
|
content_check '4616,Security,Success Audit,Security State Change,WIN-5SB1I3G0V7U' $RSYSLOG_OUT_LOG
|
|
|
|
exit_test
|