Kiwi Syslog NG - REGEX rule not catching all relevant events

WiggyJiggyJed

Hi all,

I have a rule in Syslog NG that searches for forwarded Windows Event Logs with a specific Event ID.

The MessageText field is configured to match MSWinEventLog\t[0-4]\tSecurity\t\d{1,10}?\t.{24}\t4662\t.*

The rule works, but it isn't catching all relevant events.

We also log everything to a database and I can find numerous other 4662 events in the database that aren't being caught by this rule. I have even taken events in the database which were missed by this rule and tested them against the rule (e.g. regex101.com) and they do match the rule.

So my guess is that the regex rule is taking too long in real-time to evaluate every incoming log and ends up missing some. Just a guess, though.

Has anyone else had issues like this? If so, how have you resolved it?

Any help is appreciated.

Regards,

Eric

WiggyJiggyJed

I think I found the issue.

There was a second unnamed filter that I didn't notice.

This filter was a counter filter

This event is generated by the Domain Controller that logged the event, as well as the PDC, so this filter was added to prevent double alerts for the same event.

Still testing, but I will report back with more details.

E

EDIT:

That was definitely it. We'll have to find a way to deal with the duplicate Tickets it creates. Fortunately we are only opening tickets for changes to privileged AD Groups (e.g. Domain Admins), so it shouldn't happen often.