[syslog-ng] Windows event logs vs syslog format

Matthew Hall mhall at mhcomputing.net
Wed Oct 13 18:51:14 CEST 2010 

There is a way to change the template used to create the file names for remote logging.

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/configuring_destinations_file.html

Change the template argument to use something like the SOURCEIP macro instead of the various HOST macros.

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html

Matthew.

On Wed, Oct 13, 2010 at 10:44:04AM -0600, Jerry Riedel wrote:
>  
>  
> 
> 
> On Tue, Oct 12, 2010 at 04:21:48PM -0600, Jerry Riedel wrote:
> > Another odd thing that does not appear to be related; syslog-ng 
> > created additional folders for my two Windows servers in the /HOSTS 
> > folder, this time with the name in all_lower_case and is now putting 
> > some of the server log files into one and some into the other!
> 
> Probably happening because the host name is showing up in different
> capitalizations in the messages and UNIX has case sensitive file names so
> these capitalization differences appear to be different strings when UNIX
> opens up the files to write out the logs. Try logging to dirs based on the
> host IP instead of the host name.
> 
> --Sounds good... how do I configure that?
> 
> > It would be nice if there was a configuration switch to tell syslog-ng 
> > that the host in question was a Windows host and deal with the format 
> > accordingly.
> 
> If only it were so simple! But Windows does not even support Syslog without
> proprietary plugins, and nobody agrees which one to use, so there are
> several and every one of them sends a different format of message.
> 
> --I know. I am going to continue to use EventLogAnalyzer and Datagram Syslog
> Agent on a 
> --Windows server, but I need to run a second log server.
> 
> > While I realize that the Windows event log format does not match the 
> > syslog standard, the free version of EventLogAnalyzer and Kiwi syslog 
> > server handle Windows format event logs from Datagram Syslog Agent 
> > with no problem.
> 
> Sure they do, for one Syslog agent. But there are many of them and none of
> them agree. Thank Microsoft for their ingenious decision to release a
> logging system which supports zero standard and interoperable logging
> protocols out of the box, thus leading to a proliferation of competing and
> incompatible solutions to the same exact problem, hand hacked and manually
> installed, over and over and over again.
> 
> I understand your frustrations 100% as I'm up against the same issues over
> here, but let's put credit and discredit where it's due and not just blame
> Balabit and the syslog servers by default.
> 
> --I wasn't blaming anyone. If anyone is to blame, as you point out, it would
> be Microsoft.  
> 
> --Jerry
> 
> > Jerry
> 
> Cheers,
> Matthew.
> 
> > -----Original Message-----
> > From: syslog-ng-bounces at lists.balabit.hu
> > [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> > Sent: Wednesday, October 06, 2010 3:56 PM
> > To: Syslog-ng users' and developers' mailing list
> > Subject: Re: [syslog-ng] Windows event logs vs syslog format
> > 
> > Eventlog-to-Syslog is excellent.  I have a db-parser pattern for it 
> > that works pretty well, at least for grabbing the event ID and user 
> > name along with the program and host.  It's free and works on all versions
> of Windows:
> > http://code.google.com/p/eventlog-to-syslog/ .  I like it better than 
> > Snare because it's much lighter weight.
> > 
> > --Martin
> > 
> > On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> > > I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog 
> > > server and it is working well except for one thing - the Windows 
> > > event logs that are being sent with the Datagram Syslog Agent 
> > > contain a space that causes issues. Initially, all of these were 
> > > going into /var/log/messages until I added the keep_hostname(yes)
> argument.
> > >
> > > After doing that, it now puts the Windows logs into the appropriate 
> > > folder under /var/log/hosts/ but it still puts a copy into the 
> > > /var/log/messages file. I would like to have that log only contain 
> > > log
> > messages from Opensuse.
> > >
> > > Is there a configuration setting I am missing, or is this caused by 
> > > the fact that the syslog agent does not correct the eventlog message 
> > > so that it adheres to the standard syslog message format? If the 
> > > latter, does anyone know of an open source/free agent that does this?
> > >
> > > An example of one of the problematic messages is:
> > >
> > > Oct  6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM 
> > > Special privileges assigned to new logon: User Name:CLI-FS-1$
> > > Domain:(obscured) Logon ID:(0x0,0x11331C8)
> > >
> > > Thanks,
> > >
> > > Jerry Riedel
> > >
> > >
> > >
> > > ____________________________________________________________________
> > > __
> > > ________ Member info: 
> > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.campin.net/syslog-ng/faq.html
> > >
> > >
> > >
> > ______________________________________________________________________
> > ______
> > __
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> > 
> > ______________________________________________________________________
> > ________ Member info: 
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: 
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> > 
> ____________________________________________________________________________
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list