Log Forwarder multiple lines

FormerMember

We were previously using Snare for syslog forwarding to our Kiwi server, but it would periodically send old syslogs from windows eventvwr on random servers.  We migrated to Log Forwarder and it has been much better.  Our only issue now is that we previously ran reports on our syslog logfiles and since Snare would dump all information to one line, parsing and finding the information we needed was easy.   Log Forwarder logs to multiple lines which is a problem when we want to gather logged information.  Does anyone know how to not make our syslogs look like this? ...

2011-06-06 07:38:21    Syslog.Notice    server    Jun 06 07:38:19 server.local.dom MSWinEventLog    5    Security    40186    Mon Jun 06 07:38:18 2011    4634    Microsoft-Windows-Security-Auditing        N/A    Audit Success    server.local.dom    12545    An account was logged off.

Subject:
    Security ID:        S-...
    Account Name:        ...
    Account Domain:        ...
    Logon ID:        ...

Logon Type:            10

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

natepud

Did you ever get an answer on this? This is the *exact* issue I am having right now. I need to sort through hundreds of mb of log files and the previous method of sorting them in a spreadsheet (since they were one line) worked great. Now its a complete mess between my standard syslog messages from firewalls and servers not  yet switched to LogForwarder, and my messages coming in from LogForwarder.

 

Not sure how to seperate the two yet, difficult task!