<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Book Antiqua";
panose-1:2 4 6 2 5 3 5 3 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Book Antiqua";
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1583947233;
mso-list-type:hybrid;
mso-list-template-ids:873888976 -1133474216 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:5;
mso-level-number-format:bullet;
mso-level-text:\F0D8;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Times New Roman";
color:blue;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><font
size=2 color=blue face=Wingdings><span style='font-size:10.0pt;font-family:
Wingdings;color:blue'><span style='mso-list:Ignore'>Ø<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]>I first started with EvtSys and it
worked pretty well but it left out the hostname<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><font
size=2 color=blue face=Wingdings><span style='font-size:10.0pt;font-family:
Wingdings;color:blue'><span style='mso-list:Ignore'>Ø<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]>so it was hard to make server
specific swatch statements. I then tried <font size=2><span style='font-size:
10.0pt'>ntsyslog </span></font><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><font
size=2 color=blue face=Wingdings><span style='font-size:10.0pt;font-family:
Wingdings;color:blue'><span style='mso-list:Ignore'>Ø<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font size=2><span
style='font-size:10.0pt'>which shared the same problem.</span></font><font
size=2 color=blue face="Book Antiqua"><span style='font-size:10.0pt;font-family:
"Book Antiqua";color:blue'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'>This shouldn’t
be a problem for Syslog-NG because you can have it do a DNS lookup on the
source IP address of a Syslog message to get the hostname, and then use the
$FULLHOST_FROM macro in your ‘destination’ directive to log it to a
file including the hostname. Here’s a link that explains more
regarding the macros you can use to refine log handling:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'> <a
href="http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html#macros">http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html#macros</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'>If you don’t
have DNS in your internal network, you can simply make the IP to hostname
correlation in your /etc/hosts file.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'>I hope this
helps,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'>Justin.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Book Antiqua"><span
style='font-size:10.0pt;font-family:"Book Antiqua";color:blue'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Tom Valdes
[mailto:tom.valdes@gmail.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, September 29, 2006
1:06 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Syslog-ng users' and
developers' mailing list<br>
<b><span style='font-weight:bold'>Subject:</span></b> [syslog-ng] EventViewer
to SysLog - looking for opinions</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I recently started evaluating tools to convert Windows Event Viewer
messages to SysLog and I'm looking for opinions on the different ones and what
to look for.<br>
<br>
I first started with EvtSys and it worked pretty well but it left out the
hostname so it was hard to make server specific swatch statements. <br>
I then tried </span></font><font size=2><span style='font-size:10.0pt'>ntsyslog
which shared the same problem.<br>
<br>
I'm now trying Snare (thanks Kevin for the tip) and it looks a lot more
flexible as to what type of events get sent and it sends the hostname as
well. When I first installed it, it worked fine and send messages.. After
fiddling with it, it stopped working correctly. I'm going to start
working with it again, but I'd like to here what else people are using. <br>
<br>
The 2 things the tool should have are:<br>
be free and transmit the Hostname.<br>
<br>
thanks,<br>
tom</span></font><o:p></o:p></p>
</div>
</body>
</html>