Hi,

I was doing some code development and collected a sample log file using
"Copy RAW data to file" options available on the connector. I collected
the data but when I'm trying to re-play it in debug mode I'm getting the
"entire line" printed for "this.s_RXBufferString" rather than just the
buffer string entry. This is the same result if I choose a file as
input or have the file as an event source attached to a file connector.

I know my collector logic is correct if the s_RXBufferString data was
exactly what is between the double quotes ("). I wonder if there was
anything in the pre-parser that I need to specify (I didn't have to in
the past)....?


Below is a copy of my sample data....

{"s_AppId":"SF","i_syslog_priority":"46","CONNECTI ON_METHOD":"SYSLOG","i_Hour":"23","i_RXBufferLengt h":"277","s_HostName":"WORKING-SFVDC","CONNECTION_MODE":"map","s_Process":null,"s _RV25":"CBE38929-8BDE-1032-B503-0050568CA6C0","s_RV24":"E6D08DD8-87E9-1032-8744-0050568CA6C0","i_Type":"2","i_Second":"1","s_RV23" :"2A3D9B90-82A8-1032-BF14-000C2984749D","s_RV22":"2A3D9B90-82A8-1032-BF13-000C2984749D","s_Version":"2011.1r3","s_RXBufferSt ring":"Sep
25 23:25:01 SFVDC SF: [1:29881:1] \"MALWARE-CNC Win.Trojan.Dexter
CasinoLoader SQL injection\" [Impact: Vulnerable] From \"192.168.99.35\"
at Wed Sep 25 23:24:59 2013 UTC [Classification: A Network Trojan was
Detected] [Priority: 1] {tcp}
192.168.35.15:37575->192.168.35.102:80","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"SF:
[1:29881:1] \"MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection\"
[Impact: Vulnerable] From \"192.168.99.35\" at Wed Sep 25 23:24:59 2013
UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp}
192.168.35.15:37575->192.168.35.102:80","s_chainId":"1422889186853","i _milliseconds":"1411683901000","s_raw_message2":"< 46>Sep
25 23:25:01 SFVDC SF: [1:29881:1] \"MALWARE-CNC Win.Trojan.Dexter
CasinoLoader SQL injection\" [Impact: Vulnerable] From \"192.168.99.35\"
at Wed Sep 25 23:24:59 2013 UTC [Classification: A Network Trojan was
Detected] [Priority: 1] {tcp}
192.168.35.15:37575->192.168.35.102:80","s_MessageOriginatorPort":"565 15","i_Minute":"25","s_Date":"Sep
25
23:25:01","i_TrustDeviceTime":"","i_DayOfMonth":"2 5","s_chainSequence":"0","s_sha256Hash":"9f4fe96eb f9eb13f9c815744792106aa60bec410ace1a44af8f2e5a4c68 f28ec","s_SyslogRelayIp":"192.168.99.30","s_Messag eOriginatorHost":"SFVDC","s_Pid":null,"i_Month":"8 ","i_syslog_facility":"5","i_syslog_severity": "6"}

{"s_AppId":"SF","i_syslog_priority":"46","CONNECTI ON_METHOD":"SYSLOG","i_Hour":"23","i_RXBufferLengt h":"304","s_HostName":"WORKING-SFVDC","CONNECTION_MODE":"map","s_Process":null,"s _RV25":"CBE38929-8BDE-1032-B525-0050568CA6C0","s_RV24":"E6D08DD8-87E9-1032-8744-0050568CA6C0","i_Type":"2","i_Second":"32","s_RV23 ":"2A3D9B90-82A8-1032-BF14-000C2984749D","s_RV22":"2A3D9B90-82A8-1032-BF13-000C2984749D","s_Version":"2011.1r3","s_RXBufferSt ring":"Sep
25 23:25:32 SFVDC SF: [1:30280:2] \"SERVER-WEBAPP FreePBX config.php
remote code execution attempt\" [Impact: Potentially Vulnerable] From
\"192.168.99.35\" at Wed Sep 25 23:25:31 2013 UTC [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {tcp}
192.168.35.15:58079->192.168.35.100:80","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"SF:
[1:30280:2] \"SERVER-WEBAPP FreePBX config.php remote code execution
attempt\" [Impact: Potentially Vulnerable] From \"192.168.99.35\" at Wed
Sep 25 23:25:31 2013 UTC [Classification: Attempted Administrator
Privilege Gain] [Priority: 1] {tcp}
192.168.35.15:58079->192.168.35.100:80","s_chainId":"1422889186853","i _milliseconds":"1411683932000","s_raw_message2":"< 46>Sep
25 23:25:32 SFVDC SF: [1:30280:2] \"SERVER-WEBAPP FreePBX config.php
remote code execution attempt\" [Impact: Potentially Vulnerable] From
\"192.168.99.35\" at Wed Sep 25 23:25:31 2013 UTC [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {tcp}
192.168.35.15:58079->192.168.35.100:80","s_MessageOriginatorPort":"565 15","i_Minute":"25","s_Date":"Sep
25
23:25:32","i_TrustDeviceTime":"","i_DayOfMonth":"2 5","s_chainSequence":"1","s_sha256Hash":"a6930abb2 56a061dce732bcc4e60e3f49bffe9c4a25301f725f4ea6cb96 c1b00","s_SyslogRelayIp":"192.168.99.30","s_Messag eOriginatorHost":"


Any help much appreciated.....


Regards,
Pras


--
pimpalp
------------------------------------------------------------------------
pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=52761