Here is my config: # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; # # acpid messages # filter f_acpid_full { match('^acpid:'); }; filter f_acpid { level(emerg..notice) and match('^acpid:'); }; # this is for the old acpid < 1.0.6 filter f_acpid_old { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; # # Enable this and adapt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; # # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; # # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); }; # # and optionally also all in one file: # (don't forget to provide logrotation config) # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; # # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; destination null { }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # if you want more verbose acpid logging, comment the destination(null) # line and uncomment the destination(acpid) line # log { source(src); filter(f_acpid_full); destination(null); flags(final); }; # log { source(src); filter(f_acpid_full); destination(acpid); flags(final); }; # # old acpid < 1.0.6 log { source(src); filter(f_acpid_old); destination(acpid); flags(final); }; # # NetworkManager messages in one file: # destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; # # Cron-messages in one file: # (don't forget to provide logrotation config) # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; # this is for separating out network hosts into individual log files. destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; log { source(src); destination(std); }; Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Tuesday, October 12, 2010 4:53 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format Can you post your config? On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
_____________________________________________________________________ _ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html