[syslog-ng] Pattern for Eventlog-to-Syslog

Martin Holste mcholste at gmail.com
Wed Jul 28 22:09:03 CEST 2010 

I've recently started using the great util Eventlog-to-Syslog
(http://code.google.com/p/eventlog-to-syslog/) and needed a parser.
This pattern should do the job.  A word of warning, I opted to go with
no program match because I didn't want to write a pattern per event
log source, so it's possible this would hit on other log sources.
However, in testing, the pattern seems to work well and I haven't
gotten any "false" matches.  I also gave up trying to parse out the
user name as the second param because it isn't always included and the
semicolon used as a delimiter regularly shows up naturally in
messages.  One could write per-event-id message parsers which grabbed
all kinds of fields, but this should get the ball rolling to at least
grab the event id.

<ruleset name="Windows" id='4'>
	<!-- no program pattern -->
	<rules>
		<rule provider="local" class='Windows' id='4'>
			<patterns>
				<pattern>@NUMBER:event_id:@: @ANYSTRING:msg:@</pattern>
			</patterns>
			<examples>
				<example>
					<test_message program="Service_Control_Manager">7035: NT
AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start
control.</test_message>
					<test_values>
						<test_value name="event_id">7035</test_value>
						<test_value name="msg">NT AUTHORITY\SYSTEM: The COH_Mon service
was successfully sent a start control.</test_value>
					</test_values>
				</example>
				<example>
					<test_message program="SceCli">1202: Security policies were
propagated with warning. 0x4b8 : An extended error has occurred. For
best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting
Event 1202's".</test_message>
					<test_value name="event_id">1202</test_value>
					<test_value name="msg">Security policies were propagated with
warning. 0x4b8 : An extended error has occurred. For best results in
resolving this event, log on with a non-administrative account and
search http://support.microsoft.com for "Troubleshooting Event
1202's".</test_value>
				</example>
			</examples>
			<tags>
				<tag>Windows</tag>
			</tags>
		</rule>
	</rules>
</ruleset>

More information about the syslog-ng mailing list