Dear James, If I understand you correctly, you want the raw Eventlog XML Data be copied into the property %syslogstructdata%? With the default EventLog Monitor configuration, the raw XML Data is not available by any property. It is parsed and most data is put into properties like %eventid%, %eventchannel% and so on. If you want to have access to the raw eventlog XML data, you will need to switch the MessageFormat to "Raw XML Format". Now you have the RAW Xml data in the %msg% property.
You can then either copy the %msg% property over to %syslogstructdata% using the SetProperty Action, or you use a custom Syslog Header and replace %syslogstructdata% with %msg%. Both should work. However if you need the raw xml data and the resolved eventlog message, I am afraid this is not possible yet as we do not store the raw eventlog data into a property unless you are using " Raw XML Format". But if this is necessary for you, we can add optional support for adding the raw xml data into a specific property. If you need further assistance, you can also contact us at supp...@adiscon.com, please provide an export of your configuration if possible. We can help you getting the configuration running. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: i...@adiscon.com Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte Weitergabe dieser E-Mail sind nicht gestattet. > -----Ursprüngliche Nachricht----- > Von: rsyslog <rsyslog-boun...@lists.adiscon.com> Im Auftrag von James > Ward-Smith via rsyslog > Gesendet: Mittwoch, 5. Mai 2021 03:30 > An: David Lang <da...@lang.hm> > Cc: James Ward-Smith <james.wardsm...@hotmail.com>; James Ward-Smith > via rsyslog <rsyslog@lists.adiscon.com> > Betreff: Re: [rsyslog] Structured Data in Windows Event > > Hi David, > > How do you apply a template to the Windows rsyslog client? > > I can try attaching screenshots here that might help. A good example is > see > how I have assigned syslogprocid to %processid%. This seems to work and it > pulls out the windows process id. Just struggling on the structured data > section. > Anyway here are some more screenshots, and let me know about how to > apply a debug template. > > Kind regards, > > James > > [cid:E9ABC4D3-1FE4-4159-85B2-F8A49E57B08B-L0-001][cid:DA69B241-1A9A- > 4120-97DB-046E7558891D-L0-001][cid:5BEF8496-E79E-491A-9F87- > D66F315894D8-L0-001][cid:FAF78AF9-20A2-4945-8E36-2271201B5F9B-L0- > 001][cid:2B6856B7-63FB-4A14-8315-98FF37D51CA7-L0-001][cid:1C83FDB0- > 6494-41B5-9CF7-87C3E2E3D64B-L0-001] > > Sent from my iPhone > > On 5 May 2021, at 11:03 am, David Lang <da...@lang.hm> wrote: > > could you write the lot message on the windows machine with the template > RSYSLOG_DebugFormat so that we can see what all the variables are and > their contents? > > you can't set the default properties, you would need to set a variable > like > $!structured_data and use that in the template. > > but it's possible that something is different in the windows build. > > David Lang > > On Wed, 5 May 2021, James Ward-Smith wrote: > > Date: Wed, 5 May 2021 00:50:18 +0000 > From: James Ward-Smith <james.wardsm...@hotmail.com> > To: David Lang <da...@lang.hm> > Cc: James Ward-Smith via rsyslog <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Structured Data in Windows Event Hi David, > > This is what I have currently: > > > [cid:E41A41F3-BA3F-4831-803D-5A1B3835C4A2-L0-001] > > But I have tried setting it as: > %rawevent% > %raw_event% > %xml% > %rawxml% > %event% > %structureddata% > %structured-data% > > Kind regards, > > James > Sent from my iPhone > > On 5 May 2021, at 10:47 am, David Lang <da...@lang.hm> wrote: > > what is the config that sets the structured data? > > David Lang > > On Wed, 5 May 2021, James Ward-Smith wrote: > > Date: Wed, 5 May 2021 00:18:42 +0000 > From: James Ward-Smith <james.wardsm...@hotmail.com> > To: David Lang <da...@lang.hm> > Cc: James Ward-Smith via rsyslog <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Structured Data in Windows Event Hi, > > We are have got rsyslog windows agent 7.0 installed, and are trying to > send > windows event logs e.g. successful log offs to a Linux machine in a > particular > format. > > I have attached images of the custom syslog header we are using, and > images of the resulting syslog that seems to completely ignore the > structured > data section. > > Kind regards, > > James > > Sent from my iPhone > > On 5 May 2021, at 10:16 am, James Ward-Smith > <james.wardsm...@hotmail.com> wrote: > > > > > On 5 May 2021, at 10:02 am, David Lang <da...@lang.hm> wrote: > > what software are you using to send the windows event data? > > can you show us an example of a log that's not working? (what the rawmsg > looks like) > > David Lang > > On Tue, 4 May 2021, James Ward-Smith via rsyslog wrote: > > Hi, > > We are using a custom syslog header to parse Windows Events into syslog > format, but it does not seem to be picking up the structured data. > > In our custom syslog header, we have referenced %syslogstructdata% and > we are trying to set a property so that syslogstructdata is equal to the > structured XML of the windows event. We are unable to get this to come > through and can only get it if we use logpoint SIEM JSON format. > > <image6.jpeg> > <image8.jpeg> > > Kind regards, > > James > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > <image0.jpeg> _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.