[syslog-ng] Windows event logs vs syslog format
Martin Holste
mcholste at gmail.com
Wed Oct 6 23:56:17 CEST 2010
Eventlog-to-Syslog is excellent. I have a db-parser pattern for it
that works pretty well, at least for grabbing the event ID and user
name along with the program and host. It's free and works on all
versions of Windows: http://code.google.com/p/eventlog-to-syslog/ . I
like it better than Snare because it's much lighter weight.
--Martin
On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog server
> and it is working well except for one thing - the Windows event logs that
> are being sent with the Datagram Syslog Agent contain a space that causes
> issues. Initially, all of these were going into /var/log/messages until I
> added the keep_hostname(yes) argument.
>
> After doing that, it now puts the Windows logs into the appropriate folder
> under /var/log/hosts/ but it still puts a copy into the /var/log/messages
> file. I would like to have that log only contain log messages from Opensuse.
>
> Is there a configuration setting I am missing, or is this caused by the fact
> that the syslog agent does not correct the eventlog message so that it
> adheres to the standard syslog message format? If the latter, does anyone
> know of an open source/free agent that does this?
>
> An example of one of the problematic messages is:
>
> Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM Special
> privileges assigned to new logon: User Name:CLI-FS-1$ Domain:(obscured)
> Logon ID:(0x0,0x11331C8)
>
> Thanks,
>
> Jerry Riedel
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
More information about the syslog-ng
mailing list