Hello there,
I’m new to Graylog, so excuse me if this is a dumb question, but I’m trying to send syslog from an application called ADAudit Plus.
When I enable it to send syslog messages to Graylog, this is how it looks in Graylog:
"
[ Category = LogonReports ] [ REPORT_PROFILE = All Users Logon ] [ USERNAME = testuser ] [ CLIENT_IP_ADDRESS = 10.x.x.x ] [ CLIENT_HOST_NAME = testcomp.test.com ] [ TIME_GENERATED = 1550222219 ] [ RECORD_NUMBER = 105215901 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ DOMAIN = test ] [ SOURCE = test.test.com ] [ LOGON_SERVICE = krbtgt ] [ USER_SID = %{S-1-5-21-823518204-1963214169-725345543-15345} ] [ ERROR_CODE = 0x0 ] [ ERROR_CODE_TEXT = - ] [ EVENT_NUMBER = 4768 ] [ REMARKS = A Kerberos authentication ticket (TGT) was requested. ] [ PRE_AUTHENTICATION_TYPE = 2 ] [ TRANSITED_SERVICES = null ] [ TICKET_OPTIONS = 0x40810010 ] [ TICKET_ENCRYPTION_TYPE = 0x12 ] [ CLIENT_PORT = 53544 ] [ CERTIFICATE_THUMBPRINT = null ] [ CERTIFICATE_SERIAL_NUMBER = null ] [ CERTIFICATE_ISSUER_NAME = null ] [ USER_SAM_ACCOUNT_NAME = null ] [ USER_DISPLAY_NAME = null ] [ USER_PRINCIPAL_NAME = null ] [ USER_GUID = null ] [ USER_DISTINGUISH_NAME = null ] [ USER_OU_GUID = null ] [ USER_DEPARTMENT = null ] [ USER_MANAGER_NAME = null ] [ CLIENT_HOST_DOMAIN_NAME = null ] [ SOURCE_NAME = null ] [ LOG_FILE_NAME = null ] [ KEYWORDS_NAME = null ] [ TASK_CATEGORY_NAME = null ] [ TASK_CATEGORY_ID = null ] [ EXTRA_COLUMN1 = null ] [ EXTRA_COLUMN2 = null ] [ EXTRA_COLUMN3 = null ] [ EXTRA_COLUMN4 = null ] [ EXTRA_COLUMN5 = null ] [ EXTRA_COLUMN6 = null ] [ EXTRA_COLUMN7 = null ] [ EXTRA_COLUMN8 = null ] [ EXTRA_COLUMN9 = null ] [ EXTRA_COLUMN10 = null ] [ CONFIGURED_DOMAIN_NAME = null ]
"
(I’ve gotten it to work with nxlog and the GELF format, but I would prefer to just forward the message from our current AD audit software).
I have the option to change the “[” “=” “]” in the software, but I don’t know what to change to get Graylog to automatically index this information? I also have the option of sending the data with TFC3164, but the issue is the same.
I’ve used the UDP syslog input in Graylog.
Hope you can help
Thanks in advance.