Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other! It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem. Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight. --Martin On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html