[syslog-ng] R: Windows event logs vs syslog format

Wed Oct 13 08:36:37 CEST 2010

Hi all, Thnaks to every one for your support.
I have found the solution and I will explain it,

As Arik said syslogagent on windows insert a ASCII 127 (hex 7f) code to to convert return. So I have changed Regedit key

HKLM\SOFTWARE\DATAGRAM\SYSLOGAGENT\
Key CarrigeReturnReplacementCharInASCII from 7f to 0
Also I have changed  the key
LineFeedReplacementCharInASCII from 0 to 10 (hex a) that is line feeed

It is more readable as from eventviewer gui

Thanks very much for you help

Alessandro Fiorenzi

-----Messaggio originale-----
Da: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Per conto di Martin Holste
Inviato: mercoledì 13 ottobre 2010 0.53
A: Syslog-ng users' and developers' mailing list
Oggetto: Re: [syslog-ng] Windows event logs vs syslog format

Can you post your config?

On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> Unfortunately, that program made matters worse - nearly all logs from that
> host are now going into the /var/log/messages file, getting intermixed with
> the opensuse messages. Another odd thing that does not appear to be related;
> syslog-ng created additional folders for my two Windows servers in the
> /HOSTS folder, this time with the name in all_lower_case and is now putting
> some of the server log files into one and some into the other!
>
> It would be nice if there was a configuration switch to tell syslog-ng that
> the host in question was a Windows host and deal with the format
> accordingly. While I realize that the Windows event log format does not
> match the syslog standard, the free version of EventLogAnalyzer and Kiwi
> syslog server handle Windows format event logs from Datagram Syslog Agent
> with no problem.
>
> Jerry
>
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 06, 2010 3:56 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> Eventlog-to-Syslog is excellent.  I have a db-parser pattern for it that
> works pretty well, at least for grabbing the event ID and user name along
> with the program and host.  It's free and works on all versions of Windows:
> http://code.google.com/p/eventlog-to-syslog/ .  I like it better than Snare
> because it's much lighter weight.
>
> --Martin
>
> On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog
>> server and it is working well except for one thing - the Windows event
>> logs that are being sent with the Datagram Syslog Agent contain a
>> space that causes issues. Initially, all of these were going into
>> /var/log/messages until I added the keep_hostname(yes) argument.
>>
>> After doing that, it now puts the Windows logs into the appropriate
>> folder under /var/log/hosts/ but it still puts a copy into the
>> /var/log/messages file. I would like to have that log only contain log
> messages from Opensuse.
>>
>> Is there a configuration setting I am missing, or is this caused by
>> the fact that the syslog agent does not correct the eventlog message
>> so that it adheres to the standard syslog message format? If the
>> latter, does anyone know of an open source/free agent that does this?
>>
>> An example of one of the problematic messages is:
>>
>> Oct  6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM
>> Special privileges assigned to new logon: User Name:CLI-FS-1$
>> Domain:(obscured) Logon ID:(0x0,0x11331C8)
>>
>> Thanks,
>>
>> Jerry Riedel
>>
>>
>>
>> ______________________________________________________________________
>> ________ Member info:
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> ____________________________________________________________________________
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Prima di stampare, pensa all'ambiente ** Think about the environment before printing

Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, è pregato di avvisare tempestivamente il mittente e di cancellarlo.
E’ strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso.
Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilità per eventuali danni o perdite derivanti dalla presenza di virus.

***
This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden.
We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses.
For the conduct of investment business in the UK, the Company is authorized by Bank of Italy and regulated by the Financial Services Authority.