Windows event logs vs syslog format
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument. After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse. Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this? An example of one of the problematic messages is: Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8) Thanks, Jerry Riedel
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight. --Martin On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other! It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem. Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight. --Martin On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Can you post your config? On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi all, Thnaks to every one for your support. I have found the solution and I will explain it, As Arik said syslogagent on windows insert a ASCII 127 (hex 7f) code to to convert return. So I have changed Regedit key HKLM\SOFTWARE\DATAGRAM\SYSLOGAGENT\ Key CarrigeReturnReplacementCharInASCII from 7f to 0 Also I have changed the key LineFeedReplacementCharInASCII from 0 to 10 (hex a) that is line feeed It is more readable as from eventviewer gui Thanks very much for you help Alessandro Fiorenzi -----Messaggio originale----- Da: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Per conto di Martin Holste Inviato: mercoledì 13 ottobre 2010 0.53 A: Syslog-ng users' and developers' mailing list Oggetto: Re: [syslog-ng] Windows event logs vs syslog format Can you post your config? On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html Prima di stampare, pensa all'ambiente ** Think about the environment before printing Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, è pregato di avvisare tempestivamente il mittente e di cancellarlo. E’ strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso. Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilità per eventuali danni o perdite derivanti dalla presenza di virus. *** This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden. We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses. For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.
Here is my config: # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; # # acpid messages # filter f_acpid_full { match('^acpid:'); }; filter f_acpid { level(emerg..notice) and match('^acpid:'); }; # this is for the old acpid < 1.0.6 filter f_acpid_old { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; # # Enable this and adapt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; # # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; # # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); }; # # and optionally also all in one file: # (don't forget to provide logrotation config) # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; # # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; destination null { }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # if you want more verbose acpid logging, comment the destination(null) # line and uncomment the destination(acpid) line # log { source(src); filter(f_acpid_full); destination(null); flags(final); }; # log { source(src); filter(f_acpid_full); destination(acpid); flags(final); }; # # old acpid < 1.0.6 log { source(src); filter(f_acpid_old); destination(acpid); flags(final); }; # # NetworkManager messages in one file: # destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; # # Cron-messages in one file: # (don't forget to provide logrotation config) # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; # this is for separating out network hosts into individual log files. destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; log { source(src); destination(std); }; Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Tuesday, October 12, 2010 4:53 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format Can you post your config? On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
_____________________________________________________________________ _ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
It looks to me like logs from other hosts should be logged both to /var/log/messages as well as the individual $HOST folder. If you only want them to go to the $HOSTS folders, then you should put that entry first and put flags(final) on the log {} statement. Check the docs for details on doing that. I agree with Matthew--I always use $SOURCEIP as my log host macro because it can be trusted to be well-formed. I spoof forwarded packets to preserve that macro if I'm chaining log hosts. On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel@codylabs.com> wrote:
Here is my config:
# # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. #
# # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); };
# # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal();
# # the default log socket for local logging: # unix-dgram("/dev/log");
# # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
# # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); };
# # acpid messages # filter f_acpid_full { match('^acpid:'); }; filter f_acpid { level(emerg..notice) and match('^acpid:'); };
# this is for the old acpid < 1.0.6 filter f_acpid_old { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); };
# # Enable this and adapt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
# # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); };
# # Most warning and errors on tty10 and on the xconsole pipe: # destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(xconsole); };
# Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); };
# # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); };
# # and optionally also all in one file: # (don't forget to provide logrotation config) # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); };
# # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };
# # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); };
# # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; destination null { }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # if you want more verbose acpid logging, comment the destination(null) # line and uncomment the destination(acpid) line # log { source(src); filter(f_acpid_full); destination(null); flags(final); }; # log { source(src); filter(f_acpid_full); destination(acpid); flags(final); }; # # old acpid < 1.0.6 log { source(src); filter(f_acpid_old); destination(acpid); flags(final); };
# # NetworkManager messages in one file: # destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
# # Cron-messages in one file: # (don't forget to provide logrotation config) # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); };
# # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); };
# # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); };
# # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); };
# # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); };
# this is for separating out network hosts into individual log files. destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; log { source(src); destination(std); };
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Tuesday, October 12, 2010 4:53 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Can you post your config?
On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
_____________________________________________________________________ _ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Ok, the $SOURCEIP macro solved that problem, but even though I moved that section to the top of the list, the remote host messages are still being duplicated in the /var/log/messages file. I've attached the revised conf - what am I missing or doing wrong? Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format It looks to me like logs from other hosts should be logged both to /var/log/messages as well as the individual $HOST folder. If you only want them to go to the $HOSTS folders, then you should put that entry first and put flags(final) on the log {} statement. Check the docs for details on doing that. I agree with Matthew--I always use $SOURCEIP as my log host macro because it can be trusted to be well-formed. I spoof forwarded packets to preserve that macro if I'm chaining log hosts. On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel@codylabs.com> wrote:
Here is my config:
# # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. #
# # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); };
# # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal();
# # the default log socket for local logging: # unix-dgram("/dev/log");
# # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
# # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail
{ facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); };
# # acpid messages # filter f_acpid_full { match('^acpid:'); }; filter f_acpid { level(emerg..notice) and match('^acpid:'); };
# this is for the old acpid < 1.0.6 filter f_acpid_old { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); };
# # Enable this and adapt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
# # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); };
# # Most warning and errors on tty10 and on the xconsole pipe: # destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(xconsole); };
# Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); };
# # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); };
# # and optionally also all in one file: # (don't forget to provide logrotation config) # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); };
# # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };
# # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); };
# # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; destination null { }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # if you want more verbose acpid logging, comment the destination(null) # line and uncomment the destination(acpid) line # log { source(src); filter(f_acpid_full); destination(null); flags(final); }; # log { source(src); filter(f_acpid_full); destination(acpid); flags(final); }; # # old acpid < 1.0.6 log { source(src); filter(f_acpid_old); destination(acpid); flags(final); };
# # NetworkManager messages in one file: # destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
# # Cron-messages in one file: # (don't forget to provide logrotation config) # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); };
# # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); };
# # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); };
# # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); };
# # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); };
# this is for separating out network hosts into individual log files. destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; log { source(src); destination(std); };
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Tuesday, October 12, 2010 4:53 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Can you post your config?
On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel@codylabs.com> wrote:
Unfortunately, that program made matters worse - nearly all logs from that host are now going into the /var/log/messages file, getting intermixed with the opensuse messages. Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly. While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
____________________________________________________________________ _ _ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_____________________________________________________________________ _ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_____________________________________________________________________ _ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
It's the log {} statement that matters for order, and you need a flags(final) in the statement. On Wednesday, October 13, 2010, Jerry Riedel <riedel@codylabs.com> wrote:
Ok, the $SOURCEIP macro solved that problem, but even though I moved that section to the top of the list, the remote host messages are still being duplicated in the /var/log/messages file.
I've attached the revised conf - what am I missing or doing wrong?
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
It looks to me like logs from other hosts should be logged both to /var/log/messages as well as the individual $HOST folder. If you only want them to go to the $HOSTS folders, then you should put that entry first and put flags(final) on the log {} statement. Check the docs for details on doing that.
I agree with Matthew--I always use $SOURCEIP as my log host macro because it can be trusted to be well-formed. I spoof forwarded packets to preserve that macro if I'm chaining log hosts.
On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel@codylabs.com> wrote:
Here is my config:
# # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. #
# # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); };
# # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal();
# # the default log socket for local logging: # unix-dgram("/dev/log");
# # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
# # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); }; fil____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Ok, thanks. That did the trick. Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 4:20 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format It's the log {} statement that matters for order, and you need a flags(final) in the statement. On Wednesday, October 13, 2010, Jerry Riedel <riedel@codylabs.com> wrote:
Ok, the $SOURCEIP macro solved that problem, but even though I moved that section to the top of the list, the remote host messages are still being duplicated in the /var/log/messages file.
I've attached the revised conf - what am I missing or doing wrong?
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
It looks to me like logs from other hosts should be logged both to /var/log/messages as well as the individual $HOST folder. If you only want them to go to the $HOSTS folders, then you should put that entry first and put flags(final) on the log {} statement. Check the docs for details on doing that.
I agree with Matthew--I always use $SOURCEIP as my log host macro because it can be trusted to be well-formed. I spoof forwarded packets to preserve that macro if I'm chaining log hosts.
On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel@codylabs.com> wrote:
Here is my config:
# # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. #
# # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); };
# # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal();
# # the default log socket for local logging: # unix-dgram("/dev/log");
# # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
# # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); }; fil__________________________________________________________________ __________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tue, Oct 12, 2010 at 04:21:48PM -0600, Jerry Riedel wrote:
Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
Probably happening because the host name is showing up in different capitalizations in the messages and UNIX has case sensitive file names so these capitalization differences appear to be different strings when UNIX opens up the files to write out the logs. Try logging to dirs based on the host IP instead of the host name.
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly.
If only it were so simple! But Windows does not even support Syslog without proprietary plugins, and nobody agrees which one to use, so there are several and every one of them sends a different format of message.
While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Sure they do, for one Syslog agent. But there are many of them and none of them agree. Thank Microsoft for their ingenious decision to release a logging system which supports zero standard and interoperable logging protocols out of the box, thus leading to a proliferation of competing and incompatible solutions to the same exact problem, hand hacked and manually installed, over and over and over again. I understand your frustrations 100% as I'm up against the same issues over here, but let's put credit and discredit where it's due and not just blame Balabit and the syslog servers by default.
Jerry
Cheers, Matthew.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tue, Oct 12, 2010 at 04:21:48PM -0600, Jerry Riedel wrote:
Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
Probably happening because the host name is showing up in different capitalizations in the messages and UNIX has case sensitive file names so these capitalization differences appear to be different strings when UNIX opens up the files to write out the logs. Try logging to dirs based on the host IP instead of the host name. --Sounds good... how do I configure that?
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly.
If only it were so simple! But Windows does not even support Syslog without proprietary plugins, and nobody agrees which one to use, so there are several and every one of them sends a different format of message. --I know. I am going to continue to use EventLogAnalyzer and Datagram Syslog Agent on a --Windows server, but I need to run a second log server.
While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Sure they do, for one Syslog agent. But there are many of them and none of them agree. Thank Microsoft for their ingenious decision to release a logging system which supports zero standard and interoperable logging protocols out of the box, thus leading to a proliferation of competing and incompatible solutions to the same exact problem, hand hacked and manually installed, over and over and over again. I understand your frustrations 100% as I'm up against the same issues over here, but let's put credit and discredit where it's due and not just blame Balabit and the syslog servers by default. --I wasn't blaming anyone. If anyone is to blame, as you point out, it would be Microsoft. --Jerry
Jerry
Cheers, Matthew.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
____________________________________________________________________ __ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
There is a way to change the template used to create the file names for remote logging. http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid... Change the template argument to use something like the SOURCEIP macro instead of the various HOST macros. http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid... Matthew. On Wed, Oct 13, 2010 at 10:44:04AM -0600, Jerry Riedel wrote:
On Tue, Oct 12, 2010 at 04:21:48PM -0600, Jerry Riedel wrote:
Another odd thing that does not appear to be related; syslog-ng created additional folders for my two Windows servers in the /HOSTS folder, this time with the name in all_lower_case and is now putting some of the server log files into one and some into the other!
Probably happening because the host name is showing up in different capitalizations in the messages and UNIX has case sensitive file names so these capitalization differences appear to be different strings when UNIX opens up the files to write out the logs. Try logging to dirs based on the host IP instead of the host name.
--Sounds good... how do I configure that?
It would be nice if there was a configuration switch to tell syslog-ng that the host in question was a Windows host and deal with the format accordingly.
If only it were so simple! But Windows does not even support Syslog without proprietary plugins, and nobody agrees which one to use, so there are several and every one of them sends a different format of message.
--I know. I am going to continue to use EventLogAnalyzer and Datagram Syslog Agent on a --Windows server, but I need to run a second log server.
While I realize that the Windows event log format does not match the syslog standard, the free version of EventLogAnalyzer and Kiwi syslog server handle Windows format event logs from Datagram Syslog Agent with no problem.
Sure they do, for one Syslog agent. But there are many of them and none of them agree. Thank Microsoft for their ingenious decision to release a logging system which supports zero standard and interoperable logging protocols out of the box, thus leading to a proliferation of competing and incompatible solutions to the same exact problem, hand hacked and manually installed, over and over and over again.
I understand your frustrations 100% as I'm up against the same issues over here, but let's put credit and discredit where it's due and not just blame Balabit and the syslog servers by default.
--I wasn't blaming anyone. If anyone is to blame, as you point out, it would be Microsoft.
--Jerry
Jerry
Cheers, Matthew.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 06, 2010 3:56 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that works pretty well, at least for grabbing the event ID and user name along with the program and host. It's free and works on all versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel@codylabs.com> wrote:
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server and it is working well except for one thing - the Windows event logs that are being sent with the Datagram Syslog Agent contain a space that causes issues. Initially, all of these were going into /var/log/messages until I added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder under /var/log/hosts/ but it still puts a copy into the /var/log/messages file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact that the syslog agent does not correct the eventlog message so that it adheres to the standard syslog message format? If the latter, does anyone know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured) Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
____________________________________________________________________ __ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ______ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Fiorenzi Alessandro
-
Jerry Riedel
-
Martin Holste
-
Matthew Hall