Hi, I am not very well-versed in Windows logs, so I might misunderstand something, but if the problem is that the log message is truncated on the syslog-ng server, you have to increase the log_msg_size option further, 8192 is the default value of the log_msg_size option. Regards, Robert On 10/12/2010 04:02:10 PM, Fiorenzi Alessandro wrote:
Hi, We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog) form e windows 2003 server with syslogagent configure I have this event on eventviewer
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 10/12/2010 Time: 12:26:43 PM User: DOMAINXXX\A.Fiorenzi Computer: XXXXXX Description: User Logoff: User Name: A.Fiorenzi Domain: DOMAINXXX Logon ID: (0x0,0xF78F137) Logon Type: 10
and on syslog-ng server i get this:
Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo n ID: (0x0,0xF78F137 Logon Type: 1
where the descrition field has UserName, Domain, logon ID an Logon Type cutted.
I have record the network traffic via tcpdump and I have seen data arrive correctly. So have set in syslog-ng.conf options the statement log_msg_size(8192); The problem is still open and I do not know how to solve, anyone can help me?
Alessandro Fiorenzi
Prima di stampare, pensa all'ambiente ** Think about the environment before printing
________________________________ Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, ? pregato di avvisare tempestivamente il mittente e di cancellarlo. E' strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso. Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilit? per eventuali danni o perdite derivanti dalla presenza di virus.
*** This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden. We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses. For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.
------quoted attachment------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html