cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

is it possible to have syslog messages in one line instead of a multi-line syslog message?

So i'm trying to accomplish the following:

I want the "MessageText" to appear in one, constant line of text instead of it being indented with tabs and enters for the subject, group and process information. Is it possible to achieve this? i've tried messing around with the logging formats and even creating my own, but no dice.

I tried searching around but couldn't manage to find much about it. Anyone can help me out with this?

Currently an example syslog I've received:

'6/27/2019','1:55:12 PM','6/27/2019 1:55:12 PM','639','+0200','Kernel','Notice','Kernel.Notice','192.168.100.130','192.168.100.130','UDP','Jun 27 13:24:15 WIN-RDSGFDFGDFG MSWinEventLog    5    Security    41    Thu Jun 27 13:24:11 2019    4799    Microsoft-Windows-Security-Auditing        N/A    Audit Success    WIN-RSDFSDFSDF    13826    A security-enabled local group membership was enumerated.

Subject:
    Security ID:        S-x-x-xx
    Account Name:        WIN-SDFSDFSDFSDF
    Account Domain:        WORK
    Logon ID:        0x3E7

Group:
    Security ID:        S-x-x-xx-xxx
    Group Name:        Backup Operators
    Group Domain:        Builtin

Process Information:
    Process ID:        0xxxxxxxx
    Process Name:        C:\Windows\System32\sdgdfsgdfg.exe'

I want the 3 paragraphs at the end (subject, group and process information) to be pasted to the end of the first line of text, with its spaces and tabs instead of it continuing on the next line. Is this even possible to achieve?

'6/27/2019','1:55:12 PM','6/27/2019 1:55:12 PM','639','+0200','Kernel','Notice','Kernel.Notice','192.168.178.130','192.168.178.130','UDP','Jun 27 13:24:15 WIN-ROBKHFCU8AS MSWinEventLog    5    Security    41    Thu Jun 27 13:24:11 2019    4799    Microsoft-Windows-Security-Auditing        N/A    Audit Success    WIN-ROBKHFCU8AS    13826    A security-enabled local group membership was enumerated.

Subject:
    Security ID:        S-1-5-18
    Account Name:        WIN-ROBKHFCU8AS$
    Account Domain:        WORKGROUP
    Logon ID:        0x3E7

Group:
    Security ID:        S-1-5-32-551
    Group Name:        Backup Operators
    Group Domain:        Builtin

Process Information:
    Process ID:        0x1084
    Process Name:        C:\Windows\System32\VSSVC.exe'

0 Kudos
1 Reply
Level 9

Hi

Here is the solution I am using.

It's a way to replace CRLF with a space using Action: Run Script.

1)  Save the following script file as a text file in any folder of PC where KSS is installed.

The contents of this file are:

--------------------------------------

Function Main()

' Replace cat with dog within the message text field

Fields.VarCleanMessageText = Replace(Fields.VarCleanMessageText, vbCrLf, " ")

' Return OK to tell syslog that the script ran correctly.

Main = "OK"

End Function

---------------------------------------

I saved it as "Script_ReplaceText_CRLF2space.txt.

2) Add "Action: Run Script" to the rule

It needs to be added above "Action: Display" and "Action: Log to file".

The reason is that KSS executes Action in order from the top.

3) Specify the script file of 1) in "Action: Run Script".

Enable all checkboxes in Field Read/Write permissions.

It will be as follows:

ActionRunScript_sample.png

The Display before and after running this script is:

Before_After.png

0 Kudos