All,
I am trying to parse data that is received with Kiwi Syslog and then forward that parsed data to another syslog server that is viewed by other technicians. The issue I am having is that the server that sends the data is sending to much information that is not needed to the destination syslog server. I see that Kiwi Syslog does have the ability to do some parsing via VBscript. I was hoping someone could post a script that I could try that would parse the following data.
02-08-2019 14:25:19 User.Warning 172.16.0.145 Feb 8 20:25:19 Server1.penfield.edu ERAServer[743]: {"event_type":"Threat_Event","ipv4":"172.17.21.137","hostname":"Computer1.microsoft.com","source_uuid":"ecef5ff4-0535-42e2-9985-41110278b0db","occured":"08-Feb-2019 19:16:43","severity":"Warning","threat_type":"potentially unwanted application","threat_name":"JS/Spigot.B","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"18843 (20190208)","object_type":"file","object_uri":"file:///C:/Users/JDoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"circumstances":"Event occurred on a newly created file.","firstseen":"08-Feb-2019 19:16:43","hash":"B19897AB34E780D9F53E6AC8BE78BE26094693FD"}
The only data I need to pass to the other syslog server from Kiwi server is the following data,
"hostname":"Computer1.microsoft.com"
"threat_name":"JS/Spigot.B"
"object_uri":"file:///C:/Users/Jdoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js"
"scanner_id":"Real-time file system protection"
The parts marked in red do change. Is this possible?
Thanks,
Mike
