<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><span>Hi Jim.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>Thank you so much for your reply.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>Excuse me, Can you write a config file for me that collect Windows log?</span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Monday, August 25, 2014 1:18 AM, Jim Hendrick <jrhendri@roadrunner.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container"><div id="yiv4008174825"><div>
<br clear="none">
<br clear="none">
One way to check would be to have syslog-ng use the host macro as
part of the directory (or file) name and let it create directories
(or files) for every host it hears from like this:<br clear="none">
<br clear="none">
change create_dirs(yes) <br clear="none">
<br clear="none">
and create a destination that will use information it parses out of
the received logs in the filenames:<br clear="none">
<br clear="none">
destination d_separatedbyhosts {<br clear="none">
file( "/var/log/$HOST/$HOST.$FACILITY.$SEVERITY.$YEAR.$MONTH.$DAY"
);<br clear="none">
}<br clear="none">
<br clear="none">
then don't filter at all - just let syslog-ng create at will.<br clear="none">
<br clear="none">
While this may not be what you want eventually, it would let
syslog-ng create files for any host it hears from, and that might
show you how the $HOST macro is being parsed.<br clear="none">
<br clear="none">
Jim<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<div class="yiv4008174825yqt3180103889" id="yiv4008174825yqt37017"><div class="yiv4008174825moz-cite-prefix">On 08/24/2014 01:33 PM, Jason Long
wrote:<br clear="none">
</div>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt; background-color: rgb(255, 255, 255);">
<div class="yiv4008174825" style="">Hello all.</div>
<div class="yiv4008174825" style="">I have a Windows Box that want to forward
all Even logs to my Linux box. I install Snare on Windows(<span class="yiv4008174825" style="font-size:12pt;">172.30.10.19)</span><span class="yiv4008174825" style="font-size:12pt;"> and configure it to
forward logs to Linux and my Linux box receive it properly.
When I use " tcpdump udp "port 514" ", Tcpdump show me that
Snare sending Logs to Linux but Syslog-ng can't write it to
log files :(. I paste my syslog-ng configure :</span></div>
<div class="yiv4008174825" style=""><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">options {</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>flush_lines (0);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>time_reopen (10);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>log_fifo_size
(1000);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>long_hostnames
(off);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>use_dns (no);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>use_fqdn (no);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>create_dirs (no);</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>keep_hostname
(yes);</div>
<div class="yiv4008174825" style="background-color:transparent;">};</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">source
s_sys {</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>file ("/proc/kmsg"
program_override("kernel: "));</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>unix-stream
("/dev/log");</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>internal();</div>
<div class="yiv4008174825" style="background-color:transparent;"><span class="yiv4008174825" style="white-space:pre;"> </span>#udp(ip(0.0.0.0)
port(514));</div>
<div class="yiv4008174825" style="background-color:transparent;">};</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">#source
s_net {</div>
<div class="yiv4008174825" style="background-color:transparent;">#udp
(ip(172.30.10.19) port(514));</div>
<div class="yiv4008174825" style="background-color:transparent;">#};</div>
<div class="yiv4008174825" style="background-color:transparent;">source
s_net { udp(); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_openwrt { host("172.30.10.19");};</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
df_openwrt { file("/var/log/winlog/win.log"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source ( s_net ); filter( f_openwrt ); destination (
df_openwrt ); };</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_cons { file("/dev/console"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_mesg { file("/var/log/messages"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_auth { file("/var/log/secure"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_mail { file("/var/log/maillog" flush_lines(10)); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_spol { file("/var/log/spooler"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_boot { file("/var/log/boot.log"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_cron { file("/var/log/cron"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_kern { file("/var/log/kern"); };</div>
<div class="yiv4008174825" style="background-color:transparent;">destination
d_mlal { usertty("*"); };</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_kernel { facility(kern); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_default { level(info..emerg) and</div>
<div class="yiv4008174825" style="background-color:transparent;">
not (facility(mail)</div>
<div class="yiv4008174825" style="background-color:transparent;">
or facility(authpriv) </div>
<div class="yiv4008174825" style="background-color:transparent;">
or facility(cron)); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_auth { facility(authpriv); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_mail { facility(mail); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_emergency { level(emerg); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_news { facility(uucp) or</div>
<div class="yiv4008174825" style="background-color:transparent;">
(facility(news) </div>
<div class="yiv4008174825" style="background-color:transparent;">
and level(crit..emerg)); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_boot { facility(local7); };</div>
<div class="yiv4008174825" style="background-color:transparent;">filter
f_cron { facility(cron); };</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">#log {
source(s_sys); filter(f_kernel); destination(d_cons); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_kernel); destination(d_kern); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_default); destination(d_mesg); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_auth); destination(d_auth); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_mail); destination(d_mail); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_emergency); destination(d_mlal); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_news); destination(d_spol); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_boot); destination(d_boot); };</div>
<div class="yiv4008174825" style="background-color:transparent;">log {
source(s_sys); filter(f_cron); destination(d_cron); };</div>
<div class="yiv4008174825" style="background-color:transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="background-color:transparent;">#
vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:</div>
<div class="yiv4008174825" style=""><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><br clear="none" class="yiv4008174825" style="">
</div>
<div class="yiv4008174825" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><br clear="none">
</div>
<div class="yiv4008174825" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;">Can you tell me how can I solve this
problem? </div>
<div class="yiv4008174825" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><br clear="none">
</div>
<div class="yiv4008174825" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;">Cheers.</div>
</div>
<br clear="none">
<fieldset class="yiv4008174825mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>______________________________________________________________________________
Member info: <a rel="nofollow" shape="rect" class="yiv4008174825moz-txt-link-freetext" target="_blank" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a rel="nofollow" shape="rect" class="yiv4008174825moz-txt-link-freetext" target="_blank" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a rel="nofollow" shape="rect" class="yiv4008174825moz-txt-link-freetext" target="_blank" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote></div>
<br clear="none">
</div></div><br><br></div> </div> </div> </div> </div></body></html>