[syslog-ng] Windows event logs vs syslog format
Martin Holste
mcholste at gmail.com
Wed Oct 13 00:52:56 CEST 2010
Can you post your config?
On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> Unfortunately, that program made matters worse - nearly all logs from that
> host are now going into the /var/log/messages file, getting intermixed with
> the opensuse messages. Another odd thing that does not appear to be related;
> syslog-ng created additional folders for my two Windows servers in the
> /HOSTS folder, this time with the name in all_lower_case and is now putting
> some of the server log files into one and some into the other!
>
> It would be nice if there was a configuration switch to tell syslog-ng that
> the host in question was a Windows host and deal with the format
> accordingly. While I realize that the Windows event log format does not
> match the syslog standard, the free version of EventLogAnalyzer and Kiwi
> syslog server handle Windows format event logs from Datagram Syslog Agent
> with no problem.
>
> Jerry
>
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 06, 2010 3:56 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> Eventlog-to-Syslog is excellent. I have a db-parser pattern for it that
> works pretty well, at least for grabbing the event ID and user name along
> with the program and host. It's free and works on all versions of Windows:
> http://code.google.com/p/eventlog-to-syslog/ . I like it better than Snare
> because it's much lighter weight.
>
> --Martin
>
> On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog
>> server and it is working well except for one thing - the Windows event
>> logs that are being sent with the Datagram Syslog Agent contain a
>> space that causes issues. Initially, all of these were going into
>> /var/log/messages until I added the keep_hostname(yes) argument.
>>
>> After doing that, it now puts the Windows logs into the appropriate
>> folder under /var/log/hosts/ but it still puts a copy into the
>> /var/log/messages file. I would like to have that log only contain log
> messages from Opensuse.
>>
>> Is there a configuration setting I am missing, or is this caused by
>> the fact that the syslog agent does not correct the eventlog message
>> so that it adheres to the standard syslog message format? If the
>> latter, does anyone know of an open source/free agent that does this?
>>
>> An example of one of the problematic messages is:
>>
>> Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM
>> Special privileges assigned to new logon: User Name:CLI-FS-1$
>> Domain:(obscured) Logon ID:(0x0,0x11331C8)
>>
>> Thanks,
>>
>> Jerry Riedel
>>
>>
>>
>> ______________________________________________________________________
>> ________ Member info:
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> ____________________________________________________________________________
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list