I have the
latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working
well except for one thing - the Windows event logs that are being sent with the
Datagram Syslog Agent contain a space that causes issues. Initially, all of
these were going into /var/log/messages until I added the keep_hostname(yes)
argument.
After doing
that, it now puts the Windows logs into the appropriate folder under
/var/log/hosts/ but it still puts a copy into the /var/log/messages file. I
would like to have that log only contain log messages from
Opensuse.
Is there a
configuration setting I am missing, or is this caused by the fact that the
syslog agent does not correct the eventlog message so that it adheres to the
standard syslog message format? If the latter, does anyone know of an open
source/free agent that does this?
An example
of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1
security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new
logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel