syslog-ng and ntsyslog
Hi, We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog) form e windows 2003 server with syslogagent configure I have this event on eventviewer Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 10/12/2010 Time: 12:26:43 PM User: DOMAINXXX\A.Fiorenzi Computer: XXXXXX Description: User Logoff: User Name: A.Fiorenzi Domain: DOMAINXXX Logon ID: (0x0,0xF78F137) Logon Type: 10 and on syslog-ng server i get this: Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo n ID: (0x0,0xF78F137 Logon Type: 1 where the descrition field has UserName, Domain, logon ID an Logon Type cutted. I have record the network traffic via tcpdump and I have seen data arrive correctly. So have set in syslog-ng.conf options the statement log_msg_size(8192); The problem is still open and I do not know how to solve, anyone can help me? Alessandro Fiorenzi Prima di stampare, pensa all'ambiente ** Think about the environment before printing ________________________________ Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, ? pregato di avvisare tempestivamente il mittente e di cancellarlo. E' strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso. Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilit? per eventuali danni o perdite derivanti dalla presenza di virus. *** This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden. We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses. For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.
Hi, I am not very well-versed in Windows logs, so I might misunderstand something, but if the problem is that the log message is truncated on the syslog-ng server, you have to increase the log_msg_size option further, 8192 is the default value of the log_msg_size option. Regards, Robert On 10/12/2010 04:02:10 PM, Fiorenzi Alessandro wrote:
Hi, We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog) form e windows 2003 server with syslogagent configure I have this event on eventviewer
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 10/12/2010 Time: 12:26:43 PM User: DOMAINXXX\A.Fiorenzi Computer: XXXXXX Description: User Logoff: User Name: A.Fiorenzi Domain: DOMAINXXX Logon ID: (0x0,0xF78F137) Logon Type: 10
and on syslog-ng server i get this:
Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo n ID: (0x0,0xF78F137 Logon Type: 1
where the descrition field has UserName, Domain, logon ID an Logon Type cutted.
I have record the network traffic via tcpdump and I have seen data arrive correctly. So have set in syslog-ng.conf options the statement log_msg_size(8192); The problem is still open and I do not know how to solve, anyone can help me?
Alessandro Fiorenzi
Prima di stampare, pensa all'ambiente ** Think about the environment before printing
________________________________ Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, ? pregato di avvisare tempestivamente il mittente e di cancellarlo. E' strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso. Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilit? per eventuali danni o perdite derivanti dalla presenza di virus.
*** This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden. We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses. For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.
------quoted attachment------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Just increase it to 65535, the maximum UDP packet size, and see if that fixes your issue. Matthew. On Tue, Oct 12, 2010 at 08:10:55PM +0200, Robert Fekete wrote:
Hi,
I am not very well-versed in Windows logs, so I might misunderstand something, but if the problem is that the log message is truncated on the syslog-ng server, you have to increase the log_msg_size option further, 8192 is the default value of the log_msg_size option.
Regards,
Robert
On 10/12/2010 04:02:10 PM, Fiorenzi Alessandro wrote:
Hi, We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog) form e windows 2003 server with syslogagent configure I have this event on eventviewer
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 10/12/2010 Time: 12:26:43 PM User: DOMAINXXX\A.Fiorenzi Computer: XXXXXX Description: User Logoff: User Name: A.Fiorenzi Domain: DOMAINXXX Logon ID: (0x0,0xF78F137) Logon Type: 10
and on syslog-ng server i get this:
Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo n ID: (0x0,0xF78F137 Logon Type: 1
where the descrition field has UserName, Domain, logon ID an Logon Type cutted.
I have record the network traffic via tcpdump and I have seen data arrive correctly. So have set in syslog-ng.conf options the statement log_msg_size(8192); The problem is still open and I do not know how to solve, anyone can help me?
Alessandro Fiorenzi
Prima di stampare, pensa all'ambiente ** Think about the environment before printing
________________________________ Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, ? pregato di avvisare tempestivamente il mittente e di cancellarlo. E' strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso. Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilit? per eventuali danni o perdite derivanti dalla presenza di virus.
*** This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden. We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses. For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.
------quoted attachment------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tue, 2010-10-12 at 16:02 +0200, Fiorenzi Alessandro wrote:
Hi,
We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog)
form e windows 2003 server with syslogagent configure I have this event on eventviewer
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/12/2010
Time: 12:26:43 PM
User: DOMAINXXX\A.Fiorenzi
Computer: XXXXXX
Description:
User Logoff:
User Name: A.Fiorenzi
Domain: DOMAINXXX
Logon ID: (0x0,0xF78F137)
Logon Type: 10
and on syslog-ng server i get this:
Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo
n ID: (0x0,0xF78F137 Logon Type: 1
where the descrition field has UserName, Domain, logon ID an Logon Type cutted.
I have record the network traffic via tcpdump and I have seen data arrive correctly.
So have set in syslog-ng.conf options the statementlog_msg_size(8192);
The problem is still open and I do not know how to solve, anyone can help me?
I'm not sure if you are using udp or tcp transport, but please note that if you are using UDP, then probably IP fragmentation happens in case your log message is more than 1492 octets. Can you include the original tcpdump as you have seen it on the wire? Do you include the whole message in your sample above? How long is the complete message as trasnferred on the wire? -- Bazsi
participants (4)
-
Balazs Scheidler
-
Fiorenzi Alessandro
-
Matthew Hall
-
Robert Fekete