-
Hi,
Yes sure! I see events from Windows or linux client. But for Windows one's the encoding is different natively (Windows-1252) and my log watcher is using the ASCII code.
Readers like 'gedit' or 'kate' read it well because they support the Windows encoding format. 'tail' unfortunately not...
So, i get '?' at the place of 'é', 'è, 'ê', 'ç', ...
And that's a problem when you are...
2009-04-26 14:39:54 UTC in SNARE - Auditing and EventLog Management
-
Hello,
I'm using Snare on a Windows XP and sending EventLogs to a Linux server (Ubuntu).
EventLogs of Microsoft are encoded in Windows-1252. So Snare send it in this charset format.
My problem is that I'm using a log watcher named 'Swatch'. And this last use the linux command 'tail' to parse log files.
Unfortunately 'tail' doesn't support the Windows-1252 format. It reads ISO-8859.
I...
2009-04-21 10:13:55 UTC in SNARE - Auditing and EventLog Management
-
Problem solved!
My configuration looks now like this:
watchfor /authentication failure/
threshold type=both,count=4,seconds=120
echo red
... and it works well.
Have a nice week !
2009-04-06 12:36:50 UTC in Swatch
-
It seems that the function 'echo' take in arguments:
'red, threshold 4:120'
and not only
'red'
And that the reason why it can not translate it to the good color. And gives an error.
Is the syntax correct for 'threshold' ?
Thanks a lot.
2009-04-06 10:28:47 UTC in Swatch
-
Hi
Thanks for the quick answer.
I have tested your solution this morning.
First, it seemed working because I didn't have the error message anymore.
But, the problem is that nothing works anymore if I comment out this area (For instance, a simple echo displays nothing on my shell screen when I matched a string).
Did you get the same problem when you comment it?
Is somebody using...
2009-04-06 10:14:13 UTC in Swatch
-
hi
I have quite the same error.
Invalid attribute name threshold at /usr/lib/perl5/vendor_perl/5.8.8/Swatch/Actions.pm line 68.
My config file:
watchfor /authentication failure/
echo red, threshold 4:120
Is there a problem with the synthax of threshold ?
I put the same as in the man file.
And I'm using the latest version of Swatch (3.2) (Ubuntu package)...
2009-04-03 14:47:15 UTC in Swatch
