Created
June 25, 2015 08:37
-
-
Save idefux/e489302b6132bfc961cd to your computer and use it in GitHub Desktop.
Forward Ultra VNC user auth log with nxlog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is not a full nxlog.conf | |
| # This is just the code to process the Ultra VNC log file | |
| <Input in_file_UVNC_Log> | |
| Module im_file | |
| File 'C:\Program Files\uvnc bvba\UltraVNC\mslogon.log' | |
| SavePos TRUE | |
| ReadFromLast TRUE | |
| PollInterval 60 | |
| # Drop empty messages | |
| Exec if $raw_event == '' drop(); | |
| # Drop 'Connection reveived from <ip>' messages, they are instantly followed by more meaningful ones | |
| Exec if $raw_event =~ /Connection received from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ drop(); | |
| # Parse the log with regex | |
| Exec if $raw_event =~ /^(\d{1,2})\/(\d{1,2})\/(\d{4}) (\d{1,2}:\d{2}:*\d*)\s+([\S ]+)/ \ | |
| { \ | |
| $Hostname = hostname(); \ | |
| $Severity = 'Notice'; \ | |
| $MessageSourceAddress = hostname(); \ | |
| $SyslogFacilityValue = 4; \ | |
| $SourceName = 'Ultra VNC'; \ | |
| $EventTime = parsedate($3 + '-' + $2 + '-' + $1 + ' ' + $4); \ | |
| $Message = $5; \ | |
| } \ | |
| else \ | |
| { \ | |
| $Hostname = hostname(); \ | |
| $Severity = 'Notice'; \ | |
| $MessageSourceAddress = hostname(); \ | |
| $SyslogFacilityValue = 4; \ | |
| $SourceName = 'Ultra VNC'; \ | |
| $EventTime = now(); \ | |
| $Message = $raw_event; \ | |
| } \ | |
| to_syslog_bsd(); | |
| </Input> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment