5 Replies Latest reply on Feb 14, 2019 10:54 AM by mjd

    Parsing Kiwi Syslog Data

    mjd

      All,

       

      I am trying to parse data that is received with Kiwi Syslog and then forward that parsed data to another syslog server that is viewed by other technicians. The issue I am having is that the server that sends the data is sending to much information that is not needed to the destination syslog server. I see that Kiwi Syslog does have the ability to do some parsing via VBscript. I was hoping someone could post a script that I could try that would parse the following data.

       

      02-08-2019 14:25:19 User.Warning 172.16.0.145 Feb  8 20:25:19 Server1.penfield.edu ERAServer[743]: {"event_type":"Threat_Event","ipv4":"172.17.21.137","hostname":"Computer1.microsoft.com","source_uuid":"ecef5ff4-0535-42e2-9985-41110278b0db","occured":"08-Feb-2019 19:16:43","severity":"Warning","threat_type":"potentially unwanted application","threat_name":"JS/Spigot.B","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"18843 (20190208)","object_type":"file","object_uri":"file:///C:/Users/JDoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"circumstances":"Event occurred on a newly created file.","firstseen":"08-Feb-2019 19:16:43","hash":"B19897AB34E780D9F53E6AC8BE78BE26094693FD"}

       

      The only data I need to pass to the other syslog server from Kiwi server is the following data,

       

      "hostname":"Computer1.microsoft.com"

      "threat_name":"JS/Spigot.B"

      "object_uri":"file:///C:/Users/Jdoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js"

      "scanner_id":"Real-time file system protection"

       

      The parts marked in red do change. Is this possible?

       

      Thanks,

      Mike

        • Re: Parsing Kiwi Syslog Data
          kstone

          This one is relatively simple.  Save this as a text file(script.txt), then add the action to run the script.  Make sure the boxes to read and write common fields are checked.  After that action create another action to forward the message to the other syslog server.

           

           

           

          Function Main()

          CleanMsg = Fields.VarCleanMessageText

          arrSplits = split(CleanMsg, ",")

          Fields.VarCleanMessageText = arrsplits(2) &  VbCrLf & arrSplits(7) & VbCrLf &  arrSplits(8) & VbCrLf &  arrSplits(12)

          Main = "OK"

          End Function

           

          If your content isn't in those fields add this after the 'split' command in the script. Then change the array item numbers to match the content you need.

           

          x=o

          for each item in arrSplits

          wscript.echo "arrSplits(" & x & "): " & item & VbCrLf

          x=x+1

          next

           

          Remove or comment out this section or at least the 'wscript.echo' line when it works as expected.

          After each update to the script you need to click 'Apply' or 'OK' in the setup screen to reload the script.

            • Re: Parsing Kiwi Syslog Data
              mjd

              Hello kstone,

               

              Thank you for the quick response.

               

              I used the test script that comes with Kiwi that flips dog and cat using the Fields.VarCleanMessageText variable and that works.

               

              I see that in your script that you reference two environment variables Fields.VarCleanMessageText which would populate anything using CleanMsg and  arrsplits which would populate anything with split(CleanMsg, ",")

               

               

              Function Main()

              CleanMsg = Fields.VarCleanMessageText

              arrSplits = split(CleanMsg, ",")

              Fields.VarCleanMessageText = arrsplits(2) &  VbCrLf & arrSplits(7) & VbCrLf &  arrSplits(8) & VbCrLf &  arrSplits(12)

              Main = "OK"

              End Function

               

               

              x=o

              wscript.echo "arrSplits(" & x & "): " & item & VbCrLf

              x=x+1

              next

               

              If I run a test it says Unexpected Next on line 23. If I could get this to work with some data, I could probably reverse engineer the script to gather the data I need.

                • Re: Parsing Kiwi Syslog Data
                  kstone

                  That actually won't work correctly as a Kiwi script if you put the wscript.echo in it.  I have that in my script as a section to write a debug file, I changed it to an echo statement to simplify it for you but Kiwi won't show that output.

                   

                  All you need is this:

                   

                  Function Main()

                  CleanMsg = Fields.VarCleanMessageText

                  arrSplits = split(CleanMsg, ",")

                  Fields.VarCleanMessageText = arrsplits(2) &  VbCrLf & arrSplits(7) & VbCrLf &  arrSplits(8) & VbCrLf &  arrSplits(12)

                  Main = "OK"

                  End Function

                  1 of 1 people found this helpful
              • Re: Parsing Kiwi Syslog Data
                kstone

                Also, there are some good example scripts provided by application in C:\program files(x86)\Syslogd\Scripts.  They should have enough info to get you started on most scripting tasks.