Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all articles
Browse latest Browse all 5385

ManageEngine.xml (Password Manager Pro) Syslog Connector not working

March 21, 2014, 11:24 am
$
0
0

For some reason all events are unmatched.  Any insight would be appreciated.   Thanks in advance... Steve

 

Here’s a simple, single event example that maybe someone can identify why the PMPro Connector can’t parse it right.  This was a user audit event of logging into the application.  The connector suggests the event should be recognized as alertname=”UserLogon”.

 

1.  Here is the entry from syslog7 on LEM:

1395421738000  172.17.4.39 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD  2014/03/21 13:09:00 Success Server-PMPro1  John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

 

2.  Here are the appropriate sections of the connector ManageEngine.xml file:

 

<?xml version="1.0" ?>

 

-<FASTConfiguration
_type="null">

-<DefaultReaderConfiguration
_type="null" autoStart="true" categoryTags="syslog"
description="ManageEngine Password Manager
Pro" fullDescription="Stores and Manages sensitive information" logInterval="1"
logLocation="/var/log/local7.log" logManagementOutput="10.254.10.18"
logManagementPort="10101" logStartPoint="-1"
logType="UnixSyslogFileReader" node="manager,spop"
readerName="ManageEngine" readerOutput="Alert"
stateVars="logStartPoint,readerName" toolId="ManageEngine"
toolType="Application" vendor="ZohoCorp"
version="$Revision: #1 $">

<file_type="null"
attributeName="logLocation" enabled="true"
formatRule="" formatted="false" labelText="Log
File:" preferredOrder="1"
toolTipText="Directory or path to read
from" visible="true" />
<string_type="null"
attributeName="logManagementOutput" enabled="false"
formatRule="" formatted="false" guiVersion="4"
labelText="nDepth Host:" preferredOrder="91"
toolTipText="Hostname of the nDepth appliance to
receive log data" visible="false" />
<integer_type="null"
attributeName="logManagementPort" enabled="false"
guiVersion="4" labelText="nDepth Port:" maxValue="32000"
minValue="0" preferredOrder="92" toolTipText="Port
number of the nDepth appliance to receive log data" visible="false" />
<select_type="null"
attributeName="readerOutput" enabled="false"
guiVersion="4" labelText="Output:" preferredOrder="90"
selectItems="Alert;InDepth;Alert,
InDepth" toolTipText="Data routing (normalized alerts to Manager and/or raw data
to nDepth)" visible="false" />
<integer_type="null"
attributeName="logInterval" enabled="true"
labelText="Sleep Time:" maxValue="3660"
minValue="1" preferredOrder="97" toolTipText="Number of seconds between log reads" visible="true" />
<string_type="null"
attributeName="version" enabled="false"
formatRule="" formatted="false" labelText="Tool
Version:" preferredOrder="99"
toolTipText="Tool version" visible="true" />
<string_type="null"
attributeName="toolId" enabled="false"
formatRule="" formatted="false" labelText="Wrapper
Name:" preferredOrder="98"
toolTipText="Tool Identifier" visible="true" />
</DefaultReaderConfiguration>

 

-<FastToolId
_type="null" description="ManageEngine Password
Manager Pro" id="ManageEngine"
version="59" version_type="int">
-<FastPattern
_type="null" alertName="UserLogon" description="1,
UserLogon: User_Logged_in"
matcher="(\d+) ([\w.]+) (\S+):([\w.]+) \S+
([/.:\d ]+) (?:[Ss]uccess|[Ff]ailure)? \S+ ([^:]*).*" pattern="^\d+
[\w.]+ \S+:[\w.]+ User_Logged_in"
version="5" version_type="int">
<FastField_type="null" defaultValue="Logon "$6" from "$4""
fieldName="EventInfo" type="1" type_type="int"
version="3" version_type="int" />
<FastField_type="null" defaultValue="$2"
fieldName="DetectionIP" type="1" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="$1"
fieldName="DetectionTime" type="4" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="1"
fieldName="ProviderSID" type="1" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="$3"
fieldName="SourceAccount" type="1" type_type="int"
version="3" version_type="int" />
<FastField_type="null" defaultValue="$6"
fieldName="DestinationAccount" type="1" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="$4"
fieldName="SourceMachine" type="1" type_type="int"
version="1" version_type="int" />
</FastPattern>

...

...

...

-<FastPattern
_type="null" alertName="InternalNewToolData" description="InternalNewToolData, Unmatched ManageEngine Data" matcher="(\d+)
([\w.]+) \S+:[\w.]+.*"
pattern="^\d+ [\w.]+ \S+:[\w.]+" version="5"
version_type="int">
<FastField_type="null" defaultValue="Unmatched ManageEngine Data ($Revision: #1 $)" fieldName="EventInfo"
type="1"
type_type="int" version="2" version_type="int" />
<FastField_type="null" defaultValue="$2"
fieldName="DetectionIP" type="1" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="$1"
fieldName="DetectionTime" type="4" type_type="int"
version="1" version_type="int" />
<FastField_type="null" defaultValue="$0"
fieldName="ExtraneousInfo" type="1" type_type="int"
version="1" version_type="int" />
</FastPattern>
<FastPattern_type="null" alertName=""
alertName_type="null" description="Black
Hole" matcher=".*"
pattern=".*" version="2" version_type="int" />

</FastToolId>

 

</FASTConfiguration>

 

3.  Event recorded in nDepth

InternalNewToolData   Unmatched ManageEngine Data ($Revision: #1$)  swi-lem   swi-lem    172.2.2.100  Fri Mar 21 13:08:58 GMT-0400 2014  Fri Mar 21 13:08:58 GMT-0400 2014   2    PMPro    1395421738000 172.2.2.100 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD 2014/03/21 13:09:00 Success Server-PMPro1 John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

 

4.  Format PMPro indicates it sends the data to syslog:

Syslog message format in case of user audit will be
operatedName+":"+operatedIp,operationType,operatedDate,statusMess,auditUserName+":"+reason

example:  admin:127.0.0.1  Account_Added  2009/12/23 11:39:00  Success  pmp_test  windows-server1:account1:Testing

 

Search
Viewing all articles
Browse latest Browse all 5385

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>