How-To Modify WEC and XML Parsed Logs (4232990)

Starting in Syslog-ng PE 7.0.14 there were changes made to how lists were handled when managing XML based logs.

The XML parser, used in the windowsevent() source was updated to be able to handle lists of data within the XML structure that sometimes is provided as a series of values within Data tags, without any attributes, names, or other IDS).

In this case Syslog-ng PE needs to be able to access those values one by one which is why list-handling was added.
 

As mentioned previously, our team has added the ability to modify the RegEx values to replace them with the proper expressions to ensure logs can be viewed in the best method possible.

To do this we have included the list-head option which removes the escaping and RegEx characters to make the logs more human-friendly in terms of reading the logs.

Below is an example rewrite rule that helps format some of the Macros within the XML that, when parsed out, include the RegEx characters. The below rewrite rule assumes .SDATA. for the prefix set in the windowsevent() source, xml() parser, or windowsevent-parser() parser:
 

rewrite r_modify_xml {
	set("$(list-head ${.SDATA.Event.RenderingInfo.Message})", value(".SDATA.Event.RenderingInfo.Message"));
	set("$(list-head ${.SDATA.Event.RenderingInfo.Keywords.Keyword})", value(".SDATA.Event.RenderingInfo.Keywords.Keyword"));
	set("$(list-head ${.SDATA.Event.RenderingInfo.Task})", value(".SDATA.Event.RenderingInfo.Task"));
	set("$(list-head ${.SDATA.Event.RenderingInfo.Provider})", value(".SDATA.Event.RenderingInfo.Provider"));
	set("$(list-head ${.SDATA.Event.EventData.SubjectUserSid})", value(".SDATA.Event.EventData.SubjectUserSid"));
	set("$(list-head ${.SDATA.Event.EventData.SubjectUserName})", value(".SDATA.Event.EventData.SubjectUserName"));
	set("$(list-head ${.SDATA.Event.EventData.SubjectDomainName})", value(".SDATA.Event.EventData.SubjectDomainName"));
	set("$(list-head ${.SDATA.Event.EventData.SubjectLogonId})", value(".SDATA.Event.EventData.SubjectLogonId"));
	set("$(list-head ${.SDATA.Event.EventData.ObjectServer})", value(".SDATA.Event.EventData.ObjectServer"));
	set("$(list-head ${.SDATA.Event.EventData.ObjectType})", value(".SDATA.Event.EventData.ObjectType"));
	set("$(list-head ${.SDATA.Event.EventData.ObjectName})", value(".SDATA.Event.EventData.ObjectName"));
	set("$(list-head ${.SDATA.Event.EventData.OperationType})", value(".SDATA.Event.EventData.OperationType"));
	set("$(list-head ${.SDATA.Event.EventData.HandleId})", value(".SDATA.Event.EventData.HandleId"));
	set("$(list-head ${.SDATA.Event.EventData.LogonProcessName})", value(".SDATA.Event.EventData.LogonProcessName"));
	set("$(list-head ${.SDATA.Event.EventData.PrivilegeList})", value(".SDATA.Event.EventData.PrivilegeList"));
	set("$(list-head ${.SDATA.Event.EventData.KeyFilePath})", value(".SDATA.Event.EventData.KeyFilePath"));
	set("$(list-head ${.SDATA.Event.EventData.ProcessName})", value(".SDATA.Event.EventData.ProcessName"));
	set("$(list-head ${.SDATA.Event.EventData.AccessList})", value(".SDATA.Event.EventData.AccessList"));
	set("$(list-head ${.SDATA.Event.EventData.AccessMask})", value(".SDATA.Event.EventData.AccessMask"));
	set("$(list-head ${.SDATA.Event.EventData.Properties})", value(".SDATA.Event.EventData.Properties"));
	set("$(list-head ${.SDATA.Event.EventData.AdditionalInfo})", value(".SDATA.Event.EventData.AdditionalInfo"));
	set("$(list-head ${.SDATA.Event.EventData.AdditionalInfo2})", value(".SDATA.Event.EventData.AdditionalInfo2"));
};

Ensure that the rewrite rule is called within the log statement as seen in the following example:

log {
source(s_sample_source);
rewrite(r_modify_xml);
destination(d_sample_destination);
};