Hallo all,

Maybe someone on the IHAP-list has some experience with splunk in special or syslog and CEF in general and could help us here?

We want to send intelmq-events to a remote syslog instance for further processing in CEF or json-format. How could we transform the data to CEF and maintain parseability. See my email below and the PR and the discussion there for more details.
This is the PR in question: https://github.com/certtools/intelmq/pull/503

According to this specification[0] I found,
 - | should be escaped to \|
 - \ should be escaped to \\
 - = should be escaped to \= (we don't use that though)
 - newlines should be \n (is \\n meant?)

But we do have arbitrary strings (including \0 and others). It seems CEF does not allow these values.

Sebastian

[0]: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf

On 05/10/2016 11:01 AM, Sebastian Wagner wrote:
Dear developers, contributors, users, etc.

Pedro Reis (@pedromreis) opened a pull request for an UDP output bot, which can be used to send events to a syslog daemon (and then picked up by further processing software).
The implementation has the following features:

I can see some potential problems with the 'delimited'-method here:

Possible solutions could be:


As you may have possible applications for this bot or you have experience with events in syslog, I would appreciate some feedback from you.

Sebastian

-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 1 50564167201 
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


_______________________________________________
Intelmq-dev mailing list
Intelmq-dev@lists.cert.at
http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev


-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 1 50564167201 
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg