Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
1
Replies

MARS loses data from windows event (via snare)

randytoni
Level 1
Level 1

‎12-01-2008 01:28 PM

Snare agent on win2k3 box is sending syslog for an error 1000 (semaphore) - confirmed this is what WIndows is logging and Snare is capturing.

Event ID 1000

Description:

Faulting application w3wp.exe, version 6.0.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x01dd5c80.

When the event is parsed on MARS (4.3.6) the descriptive text from the event is lost (instead I get the binary values from the data field) - e.g.

0000: 41 70 70 6c 69 63 61 74

0008: 69 6f 6e 20 46 61 69 6c

0010: 75 72 65 20 20 77 33 77

0018: 70 2e 65 78 65 20 36 2e

0020: 30 2e 33 37 39 30 2e 33

0028: 39 35 39 20 69 6e 20 75

0030: 6e 6b 6e 6f 77 6e 20 30

0038: 2e 30 2e 30 2e 30 20 61

0040: 74 20 6f 66 66 73 65 74

0048: 20 30 31 64 64 35 63 38

0050: 30

This seems to be specific to this event - others are parsed properly on the MARS box (aside from some being truncated, which is another issue)

Anyone seen this? Any help appreciated...

Labels:
0 Helpful
1 Reply 1

randytoni
Level 1
Level 1

‎12-01-2008 02:05 PM

sorry - further investigation - many syslogs are parsed into oblbivion - doesn't seem to be a pattern - just get a lot of garbage in an assortment of the logs by the time they're displayed on MARS

is there something in the way other windows apps write to the event log that messes up the MARS parser(s)...? Seems to be fine for the "standard" O/S events but things like the semaphore event + many others seem to be getting butchered

am i missing something here?

thanks

-randy

0 Helpful
Customers Also Viewed These Support Documents