[syslog-ng] Windows event logs vs syslog format
Jerry Riedel
riedel at codylabs.com
Wed Oct 6 23:35:40 CEST 2010
I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server
and it is working well except for one thing - the Windows event logs that
are being sent with the Datagram Syslog Agent contain a space that causes
issues. Initially, all of these were going into /var/log/messages until I
added the keep_hostname(yes) argument.
After doing that, it now puts the Windows logs into the appropriate folder
under /var/log/hosts/ but it still puts a copy into the /var/log/messages
file. I would like to have that log only contain log messages from Opensuse.
Is there a configuration setting I am missing, or is this caused by the fact
that the syslog agent does not correct the eventlog message so that it
adheres to the standard syslog message format? If the latter, does anyone
know of an open source/free agent that does this?
An example of one of the problematic messages is:
Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special
privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured)
Logon ID:(0x0,0x11331C8)
Thanks,
Jerry Riedel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101006/da1006f9/attachment.htm
More information about the syslog-ng
mailing list