Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
839 views
in General by (120 points)
Hi,

we are testing the complete ftp Server and want to Forward all Messages to our SIEM solution. The forwarding works well but i get (for example) the message

fex.aremp.at172.26.31.58domain\aduserDownloadFile/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png4369

to our siem solution.

My Problem is that i Need a delimiter in the message to grep whats happen. For example I would Need a syslog message in that way:

fex.aremp.at;172.26.31.58;domain\aduser;DownloadFile;/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png;4369

I havent found any config paramter which a can set. Is there any way to insert a delimiter into the message?

Br and thanks a lot!

Florian
by (156k points)
Hi Florian, which messages are these?
by (120 points)
Hi, thats a Default message i get over the syslog service from the CompleteFTP Server.
by (156k points)
You mean by redirecting CompleteFTP logging to syslog?
by (120 points)

Hi,

sorry, i guess i had written it not clearly, my false.

I had already integrated the logging to our siem/syslog solution and it works fine. My Problem is that i get the syslog message in our syslog Server in the Format fex.aremp.at172.26.31.58domain\aduserDownloadFile/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png4369

It is recevied without any delimiter in the message. I want to as if there is a way that i can Change the Format on the completeftp Server in a way that it is more readable.

Is there is a possibility to Change the syslog message above to a Format like

fex.aremp.at;172.26.31.58;domain\aduser;DownloadFile;/FileManager/jquery/ui-themes/smoothness/images/ui-icons_222222_256x240.png;4369

so i can use the ; as delimiter for the different Things in the syslog message (username, down/upload; file, Size).

Thanks a lot

Florian

by (156k points)
So are you modifying CompleteFTPService.exe.config to direct logging output to syslog?
by (156k points)
The ConversionPattern is what defines the format, so check there are no tabs in it - I think syslog may strip them out.
by (120 points)
Hi,
yes, i had already modified the CompleteFTPService.exe.config to send syslog Messages to our syslog Server.

There are a lot of conversation Patterns in the config file, maybe you can give me a hint whats the needed conversation pattern i have to Change.

Thanks a lot!

Florian
by (156k points)
Can you post what appears in the server log file? I'm assuming the message appears in syslog and the server log.
by (120 points)
Hi,

sorry for the late anser.

You are Right, at the Audit log file there is a ab to seperate the entries.

For example:

08 Jan 2019 13:14:18 Default Site    172.26.51.12    domain.lcl\m.muster    DownloadFile    /FileManager/1/jquery/ui-themes/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png    180     

and the syslog Server cant handle tabs as seperator. Is there a easy way to use ; or | instead of the tabs?

Thanks in Advance!

Florian
by (156k points)
The separator can't be changed.
by (120 points)
Hi,

is there any possibility to open a feature request for it? I guess it would help a lot when the seperator is changed to a ;

SIEM Solutions can deal better with it as with a blank and also it would be easier to open in Excel.

Thanks!

Florian
by (46.8k points)
There is another way to get what you want.  You can turn off the built-in logging and add a JSS process trigger that does custom audit logging.

For example, to audit logins and logouts in the format you need, go to the Events panel, select the Process Triggers tab, click Add, enter something like 'Auditing' as the name, and then choose the 'Log in' and 'Log out' Events.  Now select 'JSS script' and enter the following two lines:

var log = EnterpriseDT.Util.Debug.Logger.GetLogger("Audit");
log.Audit(event.type + "|" + event.loginUserName);

and click Apply Changes.  It should start logging straight away, but you'll see tabs before and after the message your code logged.  To replace those with '|', you'll need to set the ConversionPattern in your LogConfig.xml file to use '|' instead of tabs, i.e.

<param name="ConversionPattern" value="%date{dd MMM yyyy HH:mm:ss}|%message|%newline"/>

I think you'll need to restart the service before the new ConversionPattern is picked up.  Also, the built-in audit logger resets the ConversionPattern, so if you accidentally enable it you'll need to restart the service so that your ConversionPattern is picked up again.

The Javascript code I included above is only really useful for logins and logouts, so you'll need to add code to include file-names if you want to log file operations, such as downloads and uploads.

Does that help you?

Please log in or register to answer this question.

Categories

...