[syslog-ng] Windows event logs vs syslog format
Jerry Riedel
riedel at codylabs.com
Wed Oct 13 18:31:27 CEST 2010
Here is my config:
#
# /etc/syslog-ng/syslog-ng.conf
#
# File format description can be found in syslog-ng.conf(5)
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
# NOTE: The SuSEconfig script and its syslog-ng.conf.in
# configuration template aren't used any more.
#
# Feel free to edit this file directly.
#
# Additional log sockets for chroot environments can
# be declared in the /etc/sysconfig/syslog file using
# SYSLOGD_ADDITIONAL_SOCKET<NAME>
# variables. This way allows to define a socket from
# RPM scripts and is used by several services, e.g.
# bind and dhcpd.
#
# The sockets defined in /etc/sysconfig/syslog file
# are added by the /etc/ini.d/syslog init-script using
# "-a path" command line options while syslog-ng is
# started.
#
# This syslog-ng contains an extension and appends the
# sockets added by "-a" option to the same source group
# and using the same socket type (unix-dgram) as the
# "/dev/log" socket.
# If one of the sockets added by "-a" option already
# exists in any (other) source group in the config file,
# then the socket added by "-a" option is ignored.
#
#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600);
keep_hostname(yes); };
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();
#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
tcp(ip("192.168.0.228") port(5140) keep-alive(yes));
};
#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not
filter(f_iptables)
or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };
#
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid { level(emerg..notice) and match('^acpid:'); };
# this is for the old acpid < 1.0.6
filter f_acpid_old { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables);
};
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };
#
# Enable this and adapt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };
#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1));
};
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1));
};
log { source(src); filter(f_console); destination(xconsole); };
# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };
#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"
owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"
owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"
owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };
#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };
#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };
#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };
#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
destination null { };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };
#
# if you want more verbose acpid logging, comment the destination(null)
# line and uncomment the destination(acpid) line
#
log { source(src); filter(f_acpid_full); destination(null); flags(final); };
# log { source(src); filter(f_acpid_full); destination(acpid); flags(final);
};
#
# old acpid < 1.0.6
log { source(src); filter(f_acpid_old); destination(acpid); flags(final); };
#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };
#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };
#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
# this is for separating out network hosts into individual log files.
destination std {
file
("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes)
);
};
log {
source(src);
destination(std);
};
Jerry
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
Sent: Tuesday, October 12, 2010 4:53 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Windows event logs vs syslog format
Can you post your config?
On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> Unfortunately, that program made matters worse - nearly all logs from
> that host are now going into the /var/log/messages file, getting
> intermixed with the opensuse messages. Another odd thing that does not
> appear to be related; syslog-ng created additional folders for my two
> Windows servers in the /HOSTS folder, this time with the name in
> all_lower_case and is now putting some of the server log files into one
and some into the other!
>
> It would be nice if there was a configuration switch to tell syslog-ng
> that the host in question was a Windows host and deal with the format
> accordingly. While I realize that the Windows event log format does
> not match the syslog standard, the free version of EventLogAnalyzer
> and Kiwi syslog server handle Windows format event logs from Datagram
> Syslog Agent with no problem.
>
> Jerry
>
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 06, 2010 3:56 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> Eventlog-to-Syslog is excellent. I have a db-parser pattern for it
> that works pretty well, at least for grabbing the event ID and user
> name along with the program and host. It's free and works on all versions
of Windows:
> http://code.google.com/p/eventlog-to-syslog/ . I like it better than
> Snare because it's much lighter weight.
>
> --Martin
>
> On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog
>> server and it is working well except for one thing - the Windows
>> event logs that are being sent with the Datagram Syslog Agent contain
>> a space that causes issues. Initially, all of these were going into
>> /var/log/messages until I added the keep_hostname(yes) argument.
>>
>> After doing that, it now puts the Windows logs into the appropriate
>> folder under /var/log/hosts/ but it still puts a copy into the
>> /var/log/messages file. I would like to have that log only contain
>> log
> messages from Opensuse.
>>
>> Is there a configuration setting I am missing, or is this caused by
>> the fact that the syslog agent does not correct the eventlog message
>> so that it adheres to the standard syslog message format? If the
>> latter, does anyone know of an open source/free agent that does this?
>>
>> An example of one of the problematic messages is:
>>
>> Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM
>> Special privileges assigned to new logon: User Name:CLI-FS-1$
>> Domain:(obscured) Logon ID:(0x0,0x11331C8)
>>
>> Thanks,
>>
>> Jerry Riedel
>>
>>
>>
>> _____________________________________________________________________
>> _
>> ________ Member info:
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> ______________________________________________________________________
> ______
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list