NetXMS Support Forum

I am forwarding windows server 2003 events to NetXMS. On one of the servers Snort is running and it logs events into the application log that look as follows:

Event Type:   Warning
Event Source:   snort
Event Category:   None
Event ID:   1
Date:      2/6/2013
Time:      1:16:06 PM
User:      N/A
Computer:   MDCFW
Description:
The description for Event ID ( 1 ) in Source ( snort ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: [1:1448:13] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} XXX.xxx.xxx.xxx:4199 -> xxx.xxx.xxx.xxx:3389.


These events are not forwarded but instead I get a message that LogWatch cannot format the event message.

Is there a work-around for this or perhaps a method to grab snort events directly?

Thanks
Peter

Hi!

Actually, event log tells you the same: that there are no description for the message. Looks like Snort don't register event source correctly. Quick search gives couple of people with same problem but no solution. I would suggest to reconfigure Snort to send it's log to text file instead of WIndows Event Log, and capture events from that text log file.

Best regards,
Victor