[syslog-ng] Windows event logs vs syslog format
Jerry Riedel
riedel at codylabs.com
Wed Oct 13 18:44:04 CEST 2010
On Tue, Oct 12, 2010 at 04:21:48PM -0600, Jerry Riedel wrote:
> Another odd thing that does not appear to be related; syslog-ng
> created additional folders for my two Windows servers in the /HOSTS
> folder, this time with the name in all_lower_case and is now putting
> some of the server log files into one and some into the other!
Probably happening because the host name is showing up in different
capitalizations in the messages and UNIX has case sensitive file names so
these capitalization differences appear to be different strings when UNIX
opens up the files to write out the logs. Try logging to dirs based on the
host IP instead of the host name.
--Sounds good... how do I configure that?
> It would be nice if there was a configuration switch to tell syslog-ng
> that the host in question was a Windows host and deal with the format
> accordingly.
If only it were so simple! But Windows does not even support Syslog without
proprietary plugins, and nobody agrees which one to use, so there are
several and every one of them sends a different format of message.
--I know. I am going to continue to use EventLogAnalyzer and Datagram Syslog
Agent on a
--Windows server, but I need to run a second log server.
> While I realize that the Windows event log format does not match the
> syslog standard, the free version of EventLogAnalyzer and Kiwi syslog
> server handle Windows format event logs from Datagram Syslog Agent
> with no problem.
Sure they do, for one Syslog agent. But there are many of them and none of
them agree. Thank Microsoft for their ingenious decision to release a
logging system which supports zero standard and interoperable logging
protocols out of the box, thus leading to a proliferation of competing and
incompatible solutions to the same exact problem, hand hacked and manually
installed, over and over and over again.
I understand your frustrations 100% as I'm up against the same issues over
here, but let's put credit and discredit where it's due and not just blame
Balabit and the syslog servers by default.
--I wasn't blaming anyone. If anyone is to blame, as you point out, it would
be Microsoft.
--Jerry
> Jerry
Cheers,
Matthew.
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 06, 2010 3:56 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> Eventlog-to-Syslog is excellent. I have a db-parser pattern for it
> that works pretty well, at least for grabbing the event ID and user
> name along with the program and host. It's free and works on all versions
of Windows:
> http://code.google.com/p/eventlog-to-syslog/ . I like it better than
> Snare because it's much lighter weight.
>
> --Martin
>
> On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> > I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog
> > server and it is working well except for one thing - the Windows
> > event logs that are being sent with the Datagram Syslog Agent
> > contain a space that causes issues. Initially, all of these were
> > going into /var/log/messages until I added the keep_hostname(yes)
argument.
> >
> > After doing that, it now puts the Windows logs into the appropriate
> > folder under /var/log/hosts/ but it still puts a copy into the
> > /var/log/messages file. I would like to have that log only contain
> > log
> messages from Opensuse.
> >
> > Is there a configuration setting I am missing, or is this caused by
> > the fact that the syslog agent does not correct the eventlog message
> > so that it adheres to the standard syslog message format? If the
> > latter, does anyone know of an open source/free agent that does this?
> >
> > An example of one of the problematic messages is:
> >
> > Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM
> > Special privileges assigned to new logon: User Name:CLI-FS-1$
> > Domain:(obscured) Logon ID:(0x0,0x11331C8)
> >
> > Thanks,
> >
> > Jerry Riedel
> >
> >
> >
> > ____________________________________________________________________
> > __
> > ________ Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> ______________________________________________________________________
> ______
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list