Syslog-ng Windows Agent & WIN2008 Event Forwarding Subscription
Üdv mindenkinek, Van egy kis problémám. Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be. A Problémám a következő: A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :) Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve. Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj? Üdv Szilárd
It's a hungarian mail, I will ask the sender to write english mail, next time. Szia, Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem értik hogy miről beszélünk. Köszi On 2011-01-20 16:18, Szilárd Szabó wrote:
Üdv mindenkinek,
Van egy kis problémám.
Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be.
A Problémám a következő:
A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :)
Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538)
A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve.
Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj?
Üdv Szilárd ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I'm also interested in syslog-ng windows agent, so, please do ;) Thanks On 01/20/2011 04:44 PM, Zoltán Pallagi wrote:
It's a hungarian mail, I will ask the sender to write english mail, next time.
Szia,
Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem értik hogy miről beszélünk. Köszi
On 2011-01-20 16:18, Szilárd Szabó wrote:
Üdv mindenkinek,
Van egy kis problémám.
Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be.
A Problémám a következő:
A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :)
Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538)
A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve.
Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj?
Üdv Szilárd ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
Give Snare a try - many of my users use it. ______________________________________________________________ Clayton Dukes ______________________________________________________________ 2011/1/20 Fabien Bagard <fabien.bagard@parrot.com>
I'm also interested in syslog-ng windows agent, so, please do ;)
Thanks
On 01/20/2011 04:44 PM, Zoltán Pallagi wrote:
It's a hungarian mail, I will ask the sender to write english mail, next time.
Szia,
Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem értik hogy miről beszélünk. Köszi
On 2011-01-20 16:18, Szilárd Szabó wrote:
Üdv mindenkinek,
Van egy kis problémám.
Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint:
http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s...
Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be.
A Problémám a következő:
A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :)
Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538)
A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve.
Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj?
Üdv Szilárd
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40
-------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com
--------------------------------------------------------------------------------
This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On 2011-01-20 17:58, Clayton Dukes wrote:
Give Snare a try - many of my users use it.
______________________________________________________________
Clayton Dukes ______________________________________________________________
On 2011-01-21 03:38, Martin Holste wrote:
I recommend eventlog-to-syslog (http://code.google.com/p/eventlog-to-syslog/) which has great speed and works fine on server 2008.
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng). Can you confirm that these programs can do it? 2011/1/20 Fabien Bagard <fabien.bagard@parrot.com <mailto:fabien.bagard@parrot.com>>
I'm also interested in syslog-ng windows agent, so, please do ;)
Thanks
On 01/20/2011 04:44 PM, Zoltán Pallagi wrote: > It's a hungarian mail, I will ask the sender to write english mail, next > time. > > Szia, > > Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS > hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha > többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit > tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy > publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem > értik hogy miről beszélünk. > Köszi > > On 2011-01-20 16:18, Szilárd Szabó wrote: > >> Üdv mindenkinek, >> >> Van egy kis problémám. >> >> Adott egy Windows Server 2008 melyen Event Forwarding Subscription van >> beállítva a következőek szerint: >> http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... >> Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server >> 2008-ra hiba nélkül a ForwardedEvents -be. >> >> A Problémám a következő: >> >> A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent >> 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng >> PE-felé. >> Az események megérkeznek, de felettéb érdekesen :) >> >> Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: >> ForwardedEvents Security: [] (EventID 538) >> Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: >> ForwardedEvents Security: [] (EventID 538) >> Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: >> ForwardedEvents Security: [] (EventID 538) >> >> >> A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve. >> >> Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal >> van a baj? >> >> >> Üdv Szilárd >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.campin.net/syslog-ng/faq.html >> >> >> > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.campin.net/syslog-ng/faq.html >
-- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40
-------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com --------------------------------------------------------------------------------
This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng).
Can you confirm that these programs can do it?
I have not tried EvtSys with subscriptions, but I know that by default it will forward all sources (Security, Application, etc.) including any custom or otherwise non-standard sources. If ForwardedEvents is considered a source, it will be forwarded along with everything else. I should also point out that you can configure EvtSys to filter out messages in a granular way with some registry keys if you don't want everything.
I try it. Negative :( 2011/1/22 Martin Holste <mcholste@gmail.com>:
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng).
Can you confirm that these programs can do it?
I have not tried EvtSys with subscriptions, but I know that by default it will forward all sources (Security, Application, etc.) including any custom or otherwise non-standard sources. If ForwardedEvents is considered a source, it will be forwarded along with everything else. I should also point out that you can configure EvtSys to filter out messages in a granular way with some registry keys if you don't want everything. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Üdvözlettel / Regards Szabó Szilárd ==================== http://szaboszilard.info This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation
Bah, too bad! Thanks a lot, Microsoft. Nice that they finally put together some sort of log forwarding in the least inter-operable way possible. Your next option might be to install Epilog (similar to Snare) and forward the flat files the log subscription is writing out. 2011/1/23 Szilárd Szabó <xilu87@gmail.com>:
I try it. Negative :(
2011/1/22 Martin Holste <mcholste@gmail.com>:
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng).
Can you confirm that these programs can do it?
I have not tried EvtSys with subscriptions, but I know that by default it will forward all sources (Security, Application, etc.) including any custom or otherwise non-standard sources. If ForwardedEvents is considered a source, it will be forwarded along with everything else. I should also point out that you can configure EvtSys to filter out messages in a granular way with some registry keys if you don't want everything. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Üdvözlettel / Regards Szabó Szilárd ==================== http://szaboszilard.info
This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
2011.01.23. 17:38 keltezéssel, Martin Holste írta:
Bah, too bad! Thanks a lot, Microsoft. Nice that they finally put together some sort of log forwarding in the least inter-operable way possible.
Your next option might be to install Epilog (similar to Snare) and forward the flat files the log subscription is writing out.
Well, as far as I know, the free snare clients can send logs only via UDP that is not lossless . So if you want to forward your logs via TCP or TLS to a syslog-ng server, I think the best solution is to use syslog-ng agent, because BalaBit develop both products, and we take care of the best interoperability of syslog-ng agent and syslog-ng. Of course, if you would like to use free softwares, you can use other programs on your windows (only syslog-ng PE includes agent, so it's not free), but from the point of my view, when you want to collect logs from thousands of windows servers, the cost is not the basic aspect.
2011/1/23 Szilárd Szabó<xilu87@gmail.com>:
I try it. Negative :(
2011/1/22 Martin Holste<mcholste@gmail.com>:
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng).
Can you confirm that these programs can do it?
I have not tried EvtSys with subscriptions, but I know that by default it will forward all sources (Security, Application, etc.) including any custom or otherwise non-standard sources. If ForwardedEvents is considered a source, it will be forwarded along with everything else. I should also point out that you can configure EvtSys to filter out messages in a granular way with some registry keys if you don't want everything. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Üdvözlettel / Regards Szabó Szilárd ==================== http://szaboszilard.info
This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
dear members I installed Epilog and add the log [ForwardedEvents.evtx] file, but dose't work, because, it's like a binary file. Any idea to forward ForwardedEvents subscriptions? I try Syslog-ng Windows Agent, Splunk, Snare, Snare Epilog, EvtSys. BUT, I try Solarwings Log Forwarder For Windows. This is the one, which works. But I have a problem whit it too. All Forwarded Events appears in on one host/ip in syslog-ng. Any IDEA? or other Applications? Which works! Or any solutions which works whit Windows Server 2008 Event Subscription? (but I do not want to migrate again) UI: syslog-ng support team can't reproduced these mistake, what i have. Regards Szilard Szabo 2011/1/23 Zoltán Pallagi <pzolee@balabit.hu>:
2011.01.23. 17:38 keltezéssel, Martin Holste írta:
Bah, too bad! Thanks a lot, Microsoft. Nice that they finally put together some sort of log forwarding in the least inter-operable way possible.
Your next option might be to install Epilog (similar to Snare) and forward the flat files the log subscription is writing out.
Well, as far as I know, the free snare clients can send logs only via UDP that is not lossless . So if you want to forward your logs via TCP or TLS to a syslog-ng server, I think the best solution is to use syslog-ng agent, because BalaBit develop both products, and we take care of the best interoperability of syslog-ng agent and syslog-ng.
Of course, if you would like to use free softwares, you can use other programs on your windows (only syslog-ng PE includes agent, so it's not free), but from the point of my view, when you want to collect logs from thousands of windows servers, the cost is not the basic aspect.
2011/1/23 Szilárd Szabó<xilu87@gmail.com>:
I try it. Negative :(
2011/1/22 Martin Holste<mcholste@gmail.com>:
I am not sure that these programs can forward events coming from other windows forwarded by WinRM. (so these events are in ForwardedEvents store on the server, and syslog-ng agent forward these forwarded events to a syslog-ng).
Can you confirm that these programs can do it?
I have not tried EvtSys with subscriptions, but I know that by default it will forward all sources (Security, Application, etc.) including any custom or otherwise non-standard sources. If ForwardedEvents is considered a source, it will be forwarded along with everything else. I should also point out that you can configure EvtSys to filter out messages in a granular way with some registry keys if you don't want everything. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Üdvözlettel / Regards Szabó Szilárd ==================== http://szaboszilard.info
This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
He has events on a windows 2008 forwarded by another windows 2008 and wants to forward these events to a syslog-ng by syslog-ng agent but the received messages does not contain the full message. Now, we are trying to find the reason for this problem. However, if you are interested in syslog-ng agent, you can find useful information on my blog (pzolee.blogs.balabit.com) For example: http://pzolee.blogs.balabit.com/en/2010/10/collecting-and-forwarding-logs-fr... 2011.01.20. 17:37 keltezéssel, Fabien Bagard írta:
I'm also interested in syslog-ng windows agent, so, please do ;)
Thanks
On 01/20/2011 04:44 PM, Zoltán Pallagi wrote:
It's a hungarian mail, I will ask the sender to write english mail, next time.
Szia,
Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem értik hogy miről beszélünk. Köszi
On 2011-01-20 16:18, Szilárd Szabó wrote:
Üdv mindenkinek,
Van egy kis problémám.
Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be.
A Problémám a következő:
A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :)
Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538)
A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve.
Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj?
Üdv Szilárd ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
I recommend eventlog-to-syslog (http://code.google.com/p/eventlog-to-syslog/) which has great speed and works fine on server 2008. 2011/1/20 Zoltán Pallagi <pzolee@balabit.hu>:
He has events on a windows 2008 forwarded by another windows 2008 and wants to forward these events to a syslog-ng by syslog-ng agent but the received messages does not contain the full message. Now, we are trying to find the reason for this problem.
However, if you are interested in syslog-ng agent, you can find useful information on my blog (pzolee.blogs.balabit.com) For example: http://pzolee.blogs.balabit.com/en/2010/10/collecting-and-forwarding-logs-fr...
2011.01.20. 17:37 keltezéssel, Fabien Bagard írta:
I'm also interested in syslog-ng windows agent, so, please do ;)
Thanks
On 01/20/2011 04:44 PM, Zoltán Pallagi wrote:
It's a hungarian mail, I will ask the sender to write english mail, next time.
Szia,
Láttunk már egyszer ilyet, de eddig nem tudtuk reprodukálni. Ha van BOSS hozzáférésed, akkor ott kellene bejelenteni a hibát és akkor hátha többre tudunk rájönni. Ha nincs akkor irj nekem és megnézzük mit tehetünk. Viszont erre a listára légyszives angolul irj, mert ez egy publikus syslog-ng lista, amit nem csak magyarok olvasnak, így ők nem értik hogy miről beszélünk. Köszi
On 2011-01-20 16:18, Szilárd Szabó wrote:
Üdv mindenkinek,
Van egy kis problémám.
Adott egy Windows Server 2008 melyen Event Forwarding Subscription van beállítva a következőek szerint: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-s... Az hozzáadtam pár klienst. Az események megérkeznek a Windows Server 2008-ra hiba nélkül a ForwardedEvents -be.
A Problémám a következő:
A Windows Server 2008-ra telepítettem egy Syslog-ng Windows Agent 3.2.1 verziót, és beállítottam a log továbbítást egy Syslog-ng PE-felé. Az események megérkeznek, de felettéb érdekesen :)
Jan 20 16:06:34 COMPUTER1 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER2 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538) Jan 20 16:06:34 COMPUTER3 NT: AUTHORITY\ANONYMOUS LOGON: ForwardedEvents Security: [] (EventID 538)
A Windows 2008 továbbá 64bites, tehát AD-ból van menedzselve.
Ez most Agent probléma lehet, vagy a Event Forwarding Subscription-nal van a baj?
Üdv Szilárd ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (5)
-
Clayton Dukes
-
Fabien Bagard
-
Martin Holste
-
Szilárd Szabó
-
Zoltán Pallagi