rsyslog

The rocket-fast system for log processing pipelines

Modern Snare-Format Parsing Arrives: Introducing the mmsnareparse Module

By Rainer GerhardsPosted on Posted in News, Status Updates

Last September, Rainer Gerhards revisited a long-standing challenge: normalizing legacy Windows Snare logs for use in modern observability pipelines.
In his article Revisiting old style Windows Log Schema Mapping, he explored heuristic and AI-assisted methods to better handle these still-prevalent formats.

That effort has now resulted in production-ready code: the new mmsnareparse module — already part of the daily stable build and scheduled for inclusion in the 8.2510.0 stable release.

We’re looking for testers right now.
If your systems still forward Windows Security logs in Snare format, please deploy mmsnareparse and let us know how it performs in your environment.
Real-world feedback will directly shape future development.

Symbol Picture for Status Update postings. (Image: Rainer Gerhards via AI)

Why Snare v1 Still Matters

Even in 2025, many infrastructures continue to emit Snare v1–style Windows Security logs — often because deploying modern agents is not an option.
These tab-delimited MSWinEventLog messages contain valuable audit data but lack any structure, making SIEM ingestion and compliance correlation tedious.

Historically, this meant fragile regex chains or custom scripts.
mmsnareparse changes that by performing reliable field extraction directly inside rsyslog, with consistent, typed JSON output and minimal configuration.

From Research to Implementation

mmsnareparse is a message-modification parser for NXLog Snare-formatted Windows Security events encapsulated in RFC 3164 or RFC 5424 envelopes.
It was designed and tested with Windows Server 2016–2025 data and developed as a safe, fast, and extensible solution.

Key characteristics:

  • Thread-safe, per-worker parsing; configuration is immutable.
  • Preserves the original payload while generating structured JSON (default container: !win).
  • Supports both tab-delimited and Snare JSON formats.
  • Allows live JSON-based overrides (definition.file, definition.json, runtime.config).
  • No external dependencies beyond rsyslog core.

You can test it today using the daily stable build, which already contains the module.

Technical Highlights

The module extracts and organizes:

  • Event metadata: Event ID, Provider, Channel, Computer, normalized timestamps, audit outcomes.
  • Semantic categories: Event ID mapping for 4624, 4625, 4672, 4688, 4768–4771, 5140, 5157, 6281, 1102, 1243.
  • Hierarchical JSON fields, e.g.: !win!Subject!AccountName !win!Network!SourceNetworkAddress
  • Modern telemetry: LAPS, TLS Inspection, WDAC enforcement, WUFB deployment.
  • Validation and observability: !win!Validation!Errors, !win!Stats!ParsingStats, !win!Unparsed.

The resulting structure is ready for ingestion into Elastic, Loki, or ClickHouse — without external preprocessing.

Quick Start

Try it yourself:

module(load="imtcp")
module(load="omfile")
module(load="mmsnareparse")

template(name="snareWin" type="string" string="%!win%\n")
input(type="imtcp" port="5514")

action(type="mmsnareparse"
       container="!win"
       enable.network="on"
       enable.laps="on"
       enable.tls="on"
       enable.wdac="on")

if $parsesuccess == "OK" then {
    action(type="omfile" file="/var/log/winsec.json" template="snareWin")
} else {
    action(type="omfile" file="/var/log/winsec.parsefail" template="RSYSLOG_DebugFormat")
}

Full documentation and examples:
https://www.rsyslog.com/doc/configuration/modules/mmsnareparse.html

Feedback Needed: Proof Through Practice

mmsnareparse is stable by design, but we now need proof from practice.
Before extending the mapping set or adding AI-assisted features, we want to confirm it works across diverse real-world Snare deployments.

Please share:

  • Parsing issues or unmapped fields
  • Logs that fail detection (anonymized if needed)
  • Suggestions for event coverage or performance tuning

You can contribute feedback through:

Outlook

Further development — such as dynamic event learning or extended field tables — will depend on community input.
If testing confirms robustness, we’ll expand its scope; if not, we’ll adjust accordingly.

mmsnareparse is available now in the daily stable build and will be included in the scheduled stable 8.2510.0 release.
It continues rsyslog’s mission to make structured observability accessible even when legacy data formats remain — fast, reliable, and open.

Scroll to top