Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
214 views
in General by (120 points)
Hi,

we are testing the complete ftp Server and want to Forward all Messages to our SIEM solution. The forwarding works well but i get (for example) the message

fex.aremp.at172.26.31.58domain\aduserDownloadFile/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png4369

to our siem solution.

My Problem is that i Need a delimiter in the message to grep whats happen. For example I would Need a syslog message in that way:

fex.aremp.at;172.26.31.58;domain\aduser;DownloadFile;/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png;4369

I havent found any config paramter which a can set. Is there any way to insert a delimiter into the message?

Br and thanks a lot!

Florian
by (154k points)
Can you post what appears in the server log file? I'm assuming the message appears in syslog and the server log.
by (120 points)
Hi,

sorry for the late anser.

You are Right, at the Audit log file there is a ab to seperate the entries.

For example:

08 Jan 2019 13:14:18 Default Site    172.26.51.12    domain.lcl\m.muster    DownloadFile    /FileManager/1/jquery/ui-themes/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png    180     

and the syslog Server cant handle tabs as seperator. Is there a easy way to use ; or | instead of the tabs?

Thanks in Advance!

Florian
by (154k points)
The separator can't be changed.
by (120 points)
Hi,

is there any possibility to open a feature request for it? I guess it would help a lot when the seperator is changed to a ;

SIEM Solutions can deal better with it as with a blank and also it would be easier to open in Excel.

Thanks!

Florian
by (45k points)
There is another way to get what you want.  You can turn off the built-in logging and add a JSS process trigger that does custom audit logging.

For example, to audit logins and logouts in the format you need, go to the Events panel, select the Process Triggers tab, click Add, enter something like 'Auditing' as the name, and then choose the 'Log in' and 'Log out' Events.  Now select 'JSS script' and enter the following two lines:

var log = EnterpriseDT.Util.Debug.Logger.GetLogger("Audit");
log.Audit(event.type + "|" + event.loginUserName);

and click Apply Changes.  It should start logging straight away, but you'll see tabs before and after the message your code logged.  To replace those with '|', you'll need to set the ConversionPattern in your LogConfig.xml file to use '|' instead of tabs, i.e.

<param name="ConversionPattern" value="%date{dd MMM yyyy HH:mm:ss}|%message|%newline"/>

I think you'll need to restart the service before the new ConversionPattern is picked up.  Also, the built-in audit logger resets the ConversionPattern, so if you accidentally enable it you'll need to restart the service so that your ConversionPattern is picked up again.

The Javascript code I included above is only really useful for logins and logouts, so you'll need to add code to include file-names if you want to log file operations, such as downloads and uploads.

Does that help you?

Please log in or register to answer this question.

Categories

...