Thiết kế website giá rẻ

Question

I have set up a rsyslog-server to receive firewall logs from a Sophos XGS4300 over TLS.
The connection is working fine and Iam receiving logfiles from the firewall.
BUT in a single (syslog) message (%msg%) I receive many logs different logs (up to around 20-30) concatenated. That makes processing the logs extremly hard (my goal is to forward the logs to a SIEM). The logs are separted by the delimter #000<30>.

I have tried to implemant some logic to seperate to logs but without luck.
Does anyone have a idea how I can archieve the seperation of my log files?
Or does anyone have a idea why i receive concatenated logfiles from the firewall? For me it does not make any sense that there are concatenated and there is no easy solution to seperate them again with rsyslog.
Please Help 🙂

rsyslog-configfile:

$DebugFile /var/log/rsyslog.debug
$DebugLevel 2
module(load="mmnormalize")
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca/sophos-default.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/bundle.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem"
)

  # load TCP listener
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="x509/certvalid"
  )

  # start up listener at port 6514
input(
  type="imtcp"
  port="6514"
 )

if ($inputname == "imtcp") then /var/log/rsyslog/sophos.log

example %msg%:

2024-09-25T10:46:29.312241+00:00 10-1-212-232.ingress-3.ingress.svc.cluster.local 0>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” ether_type=”IPv4 (0x0800)” in_interface=”Port1″ out_interface=”Port2″ src_mac=”XXXXXX” src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”Internal” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” ether_type=”IPv4 (0x0800)” in_interface=”Port1″ out_interface=”Port2″ src_mac=”XXXXXX” src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”Internal” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” ether_type=”IPv4 (0x0800)” in_interface=”Port1″ out_interface=”Port2″ src_mac=”XXXXXX” src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”Internal” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”91″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”28″ nat_rule_name=”XXXXXX” fw_rule_type=”USER” web_policy_id=2 ether_type=”IPv4 (0x0800)” out_interface=”Port2″ src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”TCP” src_port=57506 dst_port=443 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” ether_type=”IPv4 (0x0800)” in_interface=”Port1″ out_interface=”Port2″ src_mac=”XXXXXX” src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”Internal” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” user_name=”XXXXXX” user_group=”XXXXXX” ether_type=”IPv4 (0x0800)” in_interface=”XXXXXX” out_interface=”Port2″ src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”XXXXXX” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”91″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” web_policy_id=2 ether_type=”IPv4 (0x0800)” out_interface=”Port1″ src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”TCP” src_port=60124 dst_port=7074 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” out_display_interface=”Internal” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” user_name=”XXXXXX” user_group=”XXXXXX” ether_type=”IPv4 (0x0800)” in_interface=”tun4″ out_interface=”Port2″ src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”tun4″ out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”91″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”28″ nat_rule_name=”XXXXXX” fw_rule_type=”USER” web_policy_id=2 ether_type=”IPv4 (0x0800)” out_interface=”Port1″ src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”TCP” src_port=60090 dst_port=7074 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” out_display_interface=”Internal” log_occurrence=”1″#000<30>device_name=”SFW” timestamp=”2024-09-25T12:46:29+0200″ device_model=”XGS4300″ device_serial_id=”XXXXXX” log_id=”010102600002″ log_type=”Firewall” log_component=”Firewall Rule” log_subtype=”Denied” log_version=1 severity=”Information” fw_rule_id=”112″ fw_rule_name=”XXXXXX” fw_rule_section=”Local rule” nat_rule_id=”0″ fw_rule_type=”USER” ether_type=”IPv4 (0x0800)” in_interface=”Port1″ out_interface=”Port2″ src_mac=”XXXXXX” src_ip=”XXXXXX” src_country=”XXXXXX” dst_ip=”XXXXXX” dst_country=”XXXXXX” protocol=”ICMP” icmp_type=8 hb_status=”No Heartbeat” app_resolved_by=”Signature” app_is_cloud=”FALSE” qualifier=”New” in_display_interface=”Internal” out_display_interface=”XXXXXX” log_occurrence=”1″#000<30>….

Thiết kế website giá rẻ

Danh mục

rsyslog mutiple logfiles in %msg%