[syslog-ng] Windows event logs vs syslog format

Jerry Riedel riedel at codylabs.com
Wed Oct 13 00:21:48 CEST 2010


Unfortunately, that program made matters worse - nearly all logs from that
host are now going into the /var/log/messages file, getting intermixed with
the opensuse messages. Another odd thing that does not appear to be related;
syslog-ng created additional folders for my two Windows servers in the
/HOSTS folder, this time with the name in all_lower_case and is now putting
some of the server log files into one and some into the other!

It would be nice if there was a configuration switch to tell syslog-ng that
the host in question was a Windows host and deal with the format
accordingly. While I realize that the Windows event log format does not
match the syslog standard, the free version of EventLogAnalyzer and Kiwi
syslog server handle Windows format event logs from Datagram Syslog Agent
with no problem.

Jerry
 
 

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
Sent: Wednesday, October 06, 2010 3:56 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Windows event logs vs syslog format

Eventlog-to-Syslog is excellent.  I have a db-parser pattern for it that
works pretty well, at least for grabbing the event ID and user name along
with the program and host.  It's free and works on all versions of Windows:
http://code.google.com/p/eventlog-to-syslog/ .  I like it better than Snare
because it's much lighter weight.

--Martin

On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog 
> server and it is working well except for one thing - the Windows event 
> logs that are being sent with the Datagram Syslog Agent contain a 
> space that causes issues. Initially, all of these were going into 
> /var/log/messages until I added the keep_hostname(yes) argument.
>
> After doing that, it now puts the Windows logs into the appropriate 
> folder under /var/log/hosts/ but it still puts a copy into the 
> /var/log/messages file. I would like to have that log only contain log
messages from Opensuse.
>
> Is there a configuration setting I am missing, or is this caused by 
> the fact that the syslog agent does not correct the eventlog message 
> so that it adheres to the standard syslog message format? If the 
> latter, does anyone know of an open source/free agent that does this?
>
> An example of one of the problematic messages is:
>
> Oct  6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM 
> Special privileges assigned to new logon: User Name:CLI-FS-1$ 
> Domain:(obscured) Logon ID:(0x0,0x11331C8)
>
> Thanks,
>
> Jerry Riedel
>
>
>
> ______________________________________________________________________
> ________ Member info: 
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html



More information about the syslog-ng mailing list