What I am interested in is which software package you are using to allow NT machines to log to a syslog server. I have considered writing the app myself (since I can not find a good free version), but was hoping there is such thing as "free lunch" ;) Best regards, Dan -----Original Message----- From: Michael Hargadon [mailto:MHargadon@ITDepartment.com] Sent: Friday, August 03, 2001 1:34 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]Ok, I think I've got it now... Good afternoon. Some time ago I posted a question about matching RegExes and filtering log messages using Syslog-NG. After some investigation, I've determined the following: 1) My regexp's are defined properly 2) Messages are being matched and diverted to the appropriate location 3) The matched messages are still showing up in /var/log/syslog anyways. Since I'm attempting to monitor about fifty Windows NT computers I need some way by which I can filter out the more useless messages (document x was printed, some sucker logged off, etc.). My configuration is as follows: options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(); file("/proc/kmsg"); }; destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; destination syslog { file("/var/log/syslog" owner("root") group("adm") perm(0640)); }; destination cron { file("/var/log/cron.log" owner("root") group("adm") perm(0640)); }; destination daemon { file("/var/log/daemon.log" owner("root") group("adm") perm(0640)); }; destination kern { file("/var/log/kern.log" owner("root") group("adm") perm(0640)); }; destination lpr { file("/var/log/lpr.log" owner("root") group("adm") perm(0640)); }; destination mail { file("/var/log/mail.log" owner("root") group("adm") perm(0640)); }; destination user { file("/var/log/user.log" owner("root") group("adm") perm(0640)); }; destination uucp { file("/var/log/uucp.log" owner("root") group("adm") perm(0640)); }; destination null { file("/var/log/filtered" owner("root") group("root") perm(0666)); }; destination mailinfo { file("/var/log/mail.info" owner("root") group("adm") perm(0640)); }; destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm") perm(0640)); }; destination mailerr { file("/var/log/mail.err" owner("root") group("adm") perm(0640)); }; destination debug { file("/var/log/debug" owner("root") group("adm") perm(0640)); }; destination messages { file("/var/log/messages" owner("root") group("adm") perm(0640)); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty8"); }; destination xconsole { pipe("/dev/xconsole"); }; destination ppp { file("/var/log/ppp.log" owner("root") group("adm") perm(0640)); }; # Filters here filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; filter ppp { facility(local2); }; # Begin NT Event Log Filters Here # Successful Logon # one sample only please filter f_nt0014 { match("POP3 connection accepted from"); }; # Log destinations now please log { source(src); filter(f_nt0014); destination(null); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; #log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); filter(f_cnews); destination(console_all); }; #log { source(src); filter(f_cother); destination(console_all); }; log { source(src); filter(f_cnews); destination(xconsole); }; log { source(src); filter(f_cother); destination(xconsole); }; log { source(src); filter(ppp); destination(ppp); }; Now, if I receive a message as follows: Aug 3 12:55:40 Mail Application 236515 Fri Aug 03 12:53:55 2001 1073818460 MSExchange Pop3 Interface N/A N/A Information xxxxxxx POP3 connection accepted from xxx.xxx.xxx.xx I'll see that message pop up in /var/log/filtered. I'll also see exactly the same message pop up in /var/log/syslog. I know I've got to be overlooking something quite obvious here -- can anyone offer any assistance with this? Regards, Michael Hargadon _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng