Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

windows event data format

snare agent is pushing event logs to MARS - certain event (e.g. generic application events) show up with log data in binary format - in the windows event viewer the data is also displayed as text so the details of the event are clear (e.g "application failure w3wp.exe...." or similar. On MARS we see this:

0000: 41 70 70 6c 69 63 61 74 0008: 69 6f 6e 20 46 61 69 6c 0010: 75 72 65 20 20 77 33 77 0018: 70 2e 65 78 65 20 36 2e 0020: 30 2e 33 37 39 30 2e 33 0028: 39 35 39 20 69 6e 20 75 0030: 6e 6b 6e 6f 77 6e 20 30 0038: 2e 30 2e 30 2e 30 20 61 0040: 74 20 6f 66 66 73 .... etc.

Is there something we can do to convert this to text as part of the event parsing / processing function? or am i dreaming....?

Some of the wintel admins would like to leverage MARS for specific alerts but if the event description is lost in the syslog process then they're probably going to look for another tool for the job - would like to help them if i can.

thanks

203
Views
0
Helpful
0
Replies
CreatePlease to create content