JSON/Text mixed syslog message
26 views
Skip to first unread message
Kacper B
Jan 7, 2022, 10:38:21 AM1/7/22
to sagan-users
Hello,
Does Sagan have the ability to recognize JSON within a message if it's mixed with non JSON?
Samba has this weird standard where they output non JSON before the actual JSON content.
Example:
[2017/07/04 21:07:41.410434, 4, pid=21757] ../auth/auth_log.c:220(log_json)
JSON Authorization: {"type": "Authorization", "timestamp": "2017-07-04T21:07:41.410408+0200", "Authorization": {"version": {"major": 1, "minor": 0}, "sid": "S-1-5-21-469703510-2364959079-1506205053-500", "serviceDescription": "SMB2", "localAddress": "ipv4:10.99.0.1:445", "remoteAddress": "ipv4:10.99.0.81:58828", "transportProtection": "SMB", "authType": "krb5", "domain": "SAMDOM", "account": "Administrator", "logonServer": "DC1", "accountFlags": "0x00000210"}}
Steve Rawls
Jan 7, 2022, 1:04:15 PM1/7/22
to sagan-users
That looks like it might just be a syslog formatted log, with the JSON in the message field. What are you using to send logs to Sagan? If you are using syslog-ng, you might want to try parsing with the built in syslog parser before passing it on.
Steve Rawls
Senior Systems Engineer
Quadrant Information Security
4651 Salisbury Road, Suite 315 | Jacksonville, FL 32256
Office: (904) 296-9100 x100
Direct: (904) 831-5362
Toll Free: (800) 538-9357 x100
s...@quadrantsec.com
Senior Systems Engineer
Quadrant Information Security
4651 Salisbury Road, Suite 315 | Jacksonville, FL 32256
Office: (904) 296-9100 x100
Direct: (904) 831-5362
Toll Free: (800) 538-9357 x100
s...@quadrantsec.com
From: 'Kacper B' via sagan-users <sagan...@googlegroups.com>
Sent: Friday, January 7, 2022 10:38 AM
To: sagan-users <sagan...@googlegroups.com>
Subject: [sagan-users] JSON/Text mixed syslog message
Sent: Friday, January 7, 2022 10:38 AM
To: sagan-users <sagan...@googlegroups.com>
Subject: [sagan-users] JSON/Text mixed syslog message
--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/f019fb6f-0a56-4ab4-9f4e-e53a98e95eaen%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/f019fb6f-0a56-4ab4-9f4e-e53a98e95eaen%40googlegroups.com.
Kacper
Jan 7, 2022, 2:49:58 PM1/7/22
to sagan...@googlegroups.com
That would work if it was so but the example log is actually the syslog message samba outputs to rsyslog in my case.
You received this message because you are subscribed to a topic in the Google Groups "sagan-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sagan-users/ma6z97OsvDw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/BN8PR15MB3009915D81358E4767566E1BC04D9%40BN8PR15MB3009.namprd15.prod.outlook.com.
Da Beave
Jan 8, 2022, 9:28:17 AM1/8/22
to sagan...@googlegroups.com
This is a bit problematic for Sagan. Sagan can toggle between normal syslog messages and JSON. The issue is Sagan looks for (tests) each message to determine the type and expects one or the other. Your example shows text with some JSON in it.
While you might not be able to use the Sagan JSON keywords but you can still create "normal" signatures that treat the data as "normal" text. My point is, you can still write signatures for what you want.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/CALZ%3DSy9B76u1xrJuM8U9jM5%3DpyyMfwT6t-%2B59F7UMCWFLmtheQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages