[syslog-ng] Windows event logs vs syslog format
Jerry Riedel
riedel at codylabs.com
Wed Oct 13 23:37:03 CEST 2010
Ok, the $SOURCEIP macro solved that problem, but even though I moved that
section to the top of the list, the remote host messages are still being
duplicated in the /var/log/messages file.
I've attached the revised conf - what am I missing or doing wrong?
Jerry
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
Sent: Wednesday, October 13, 2010 11:28 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Windows event logs vs syslog format
It looks to me like logs from other hosts should be logged both to
/var/log/messages as well as the individual $HOST folder. If you only want
them to go to the $HOSTS folders, then you should put that entry first and
put flags(final) on the log {} statement. Check the docs for details on
doing that.
I agree with Matthew--I always use $SOURCEIP as my log host macro because it
can be trusted to be well-formed. I spoof forwarded packets to preserve
that macro if I'm chaining log hosts.
On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel at codylabs.com> wrote:
> Here is my config:
>
> #
> # /etc/syslog-ng/syslog-ng.conf
> #
> # File format description can be found in syslog-ng.conf(5) # and in
> /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
> #
> # NOTE: The SuSEconfig script and its syslog-ng.conf.in #
> configuration template aren't used any more.
> #
> # Feel free to edit this file directly.
> #
> # Additional log sockets for chroot environments can # be
> declared in the /etc/sysconfig/syslog file using #
> SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to
> define a socket from # RPM scripts and is used by several
> services, e.g.
> # bind and dhcpd.
> #
> # The sockets defined in /etc/sysconfig/syslog file # are
> added by the /etc/ini.d/syslog init-script using # "-a path"
> command line options while syslog-ng is # started.
> #
> # This syslog-ng contains an extension and appends the #
> sockets added by "-a" option to the same source group # and
> using the same socket type (unix-dgram) as the # "/dev/log"
> socket.
> # If one of the sockets added by "-a" option already #
> exists in any (other) source group in the config file, # then
> the socket added by "-a" option is ignored.
> #
>
> #
> # Global options.
> #
> options { long_hostnames(off); sync(0); perm(0640); stats(3600);
> keep_hostname(yes); };
>
> #
> # 'src' is our main source definition. you can add # more sources
> driver definitions to it, or define # your own sources, i.e.:
> #
> #source my_src { .... };
> #
> source src {
> #
> # include internal syslog-ng messages
> # note: the internal() soure is required!
> #
> internal();
>
> #
> # the default log socket for local logging:
> #
> unix-dgram("/dev/log");
>
> #
> # uncomment to process log messages from network:
> #
> udp(ip("0.0.0.0") port(514));
> tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
>
> #
> # Filter definitions
> #
> filter f_iptables { facility(kern) and match("IN=") and
> match("OUT="); };
>
> filter f_console { level(warn) and facility(kern) and not
> filter(f_iptables)
> or level(err) and not facility(authpriv); };
>
> filter f_newsnotice { level(notice) and facility(news); }; filter
> f_newscrit { level(crit) and facility(news); }; filter f_newserr
> { level(err) and facility(news); }; filter f_news {
> facility(news); };
>
> filter f_mailinfo { level(info) and facility(mail); }; filter
> f_mailwarn { level(warn) and facility(mail); }; filter
> f_mailerr { level(err, crit) and facility(mail); }; filter f_mail
> { facility(mail); };
>
> filter f_cron { facility(cron); };
>
> filter f_local { facility(local0, local1, local2, local3,
> local4, local5, local6, local7); };
>
> #
> # acpid messages
> #
> filter f_acpid_full { match('^acpid:'); }; filter f_acpid {
> level(emerg..notice) and match('^acpid:'); };
>
> # this is for the old acpid < 1.0.6
> filter f_acpid_old { match('^\[acpid\]:'); };
>
> filter f_netmgm { match('^NetworkManager:'); };
>
> filter f_messages { not facility(news, mail) and not
> filter(f_iptables); }; filter f_warn { level(warn, err, crit)
> and not filter(f_iptables); }; filter f_alert { level(alert); };
>
>
> #
> # Enable this and adapt IP to send log messages to a log server.
> #
> #destination logserver { udp("10.10.10.10" port(514)); }; #log {
> source(src); destination(logserver); };
>
> #
> # Enable this, if you want to keep all messages in one file:
> # (don't forget to provide logrotation config) # #destination
> allmessages { file("/var/log/allmessages"); }; #log { source(src);
> destination(allmessages); };
>
> #
> # Most warning and errors on tty10 and on the xconsole pipe:
> #
> destination console { pipe("/dev/tty10" owner(-1) group(-1)
> perm(-1)); }; log { source(src); filter(f_console);
> destination(console); };
>
> destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1)
> perm(-1)); }; log { source(src); filter(f_console);
> destination(xconsole); };
>
> # Enable this, if you want that root is informed immediately, # e.g.
> of logins:
> #
> #destination root { usertty("root"); }; #log { source(src);
> filter(f_alert); destination(root); };
>
>
> #
> # News-messages in separate files:
> #
> destination newscrit { file("/var/log/news/news.crit"
> owner(news) group(news)); }; log {
> source(src); filter(f_newscrit); destination(newscrit); };
>
> destination newserr { file("/var/log/news/news.err"
> owner(news) group(news)); }; log {
> source(src); filter(f_newserr); destination(newserr); };
>
> destination newsnotice { file("/var/log/news/news.notice"
> owner(news) group(news)); }; log {
> source(src); filter(f_newsnotice); destination(newsnotice); };
>
> #
> # and optionally also all in one file:
> # (don't forget to provide logrotation config) # #destination news {
> file("/var/log/news.all"); }; #log { source(src); filter(f_news);
> destination(news); };
>
>
> #
> # Mail-messages in separate files:
> #
> destination mailinfo { file("/var/log/mail.info"); }; log {
> source(src); filter(f_mailinfo); destination(mailinfo); };
>
> destination mailwarn { file("/var/log/mail.warn"); }; log {
> source(src); filter(f_mailwarn); destination(mailwarn); };
>
> destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log {
> source(src); filter(f_mailerr); destination(mailerr); };
>
> #
> # and also all in one file:
> #
> destination mail { file("/var/log/mail"); }; log { source(src);
> filter(f_mail); destination(mail); };
>
>
> #
> # acpid messages in one file:
> #
> destination acpid { file("/var/log/acpid"); }; destination null { };
> log { source(src); filter(f_acpid); destination(acpid); flags(final);
> }; # # if you want more verbose acpid logging, comment the
> destination(null) # line and uncomment the destination(acpid) line #
> log { source(src); filter(f_acpid_full); destination(null);
> flags(final); }; # log { source(src); filter(f_acpid_full);
> destination(acpid); flags(final); }; # # old acpid < 1.0.6 log {
> source(src); filter(f_acpid_old); destination(acpid); flags(final); };
>
> #
> # NetworkManager messages in one file:
> #
> destination netmgm { file("/var/log/NetworkManager"); }; log {
> source(src); filter(f_netmgm); destination(netmgm); flags(final); };
>
>
> #
> # Cron-messages in one file:
> # (don't forget to provide logrotation config) # #destination cron {
> file("/var/log/cron"); }; #log { source(src); filter(f_cron);
> destination(cron); };
>
>
> #
> # Some boot scripts use/require local[1-7]:
> #
> destination localmessages { file("/var/log/localmessages"); }; log {
> source(src); filter(f_local); destination(localmessages); };
>
>
> #
> # All messages except iptables and the facilities news and mail:
> #
> destination messages { file("/var/log/messages"); }; log {
> source(src); filter(f_messages); destination(messages); };
>
>
> #
> # Firewall (iptables) messages in one file:
> #
> destination firewall { file("/var/log/firewall"); }; log {
> source(src); filter(f_iptables); destination(firewall); };
>
>
> #
> # Warnings (except iptables) in one file:
> #
> destination warn { file("/var/log/warn" fsync(yes)); }; log {
> source(src); filter(f_warn); destination(warn); };
>
> # this is for separating out network hosts into individual log files.
> destination std {
> file
> ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
> owner(root) group(root) perm(0600) dir_perm(0700)
> create_dirs(yes)
> );
> };
> log {
> source(src);
> destination(std);
> };
>
>
>
>
> Jerry
>
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Tuesday, October 12, 2010 4:53 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> Can you post your config?
>
> On Tue, Oct 12, 2010 at 5:21 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>> Unfortunately, that program made matters worse - nearly all logs from
>> that host are now going into the /var/log/messages file, getting
>> intermixed with the opensuse messages. Another odd thing that does
>> not appear to be related; syslog-ng created additional folders for my
>> two Windows servers in the /HOSTS folder, this time with the name in
>> all_lower_case and is now putting some of the server log files into
>> one
> and some into the other!
>>
>> It would be nice if there was a configuration switch to tell
>> syslog-ng that the host in question was a Windows host and deal with
>> the format accordingly. While I realize that the Windows event log
>> format does not match the syslog standard, the free version of
>> EventLogAnalyzer and Kiwi syslog server handle Windows format event
>> logs from Datagram Syslog Agent with no problem.
>>
>> Jerry
>>
>>
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu
>> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin
>> Holste
>> Sent: Wednesday, October 06, 2010 3:56 PM
>> To: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>>
>> Eventlog-to-Syslog is excellent. I have a db-parser pattern for it
>> that works pretty well, at least for grabbing the event ID and user
>> name along with the program and host. It's free and works on all
>> versions
> of Windows:
>> http://code.google.com/p/eventlog-to-syslog/ . I like it better than
>> Snare because it's much lighter weight.
>>
>> --Martin
>>
>> On Wed, Oct 6, 2010 at 4:35 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>>> I have the latest syslog-ng on an Opensuse 11.2 acting as a syslog
>>> server and it is working well except for one thing - the Windows
>>> event logs that are being sent with the Datagram Syslog Agent
>>> contain a space that causes issues. Initially, all of these were
>>> going into /var/log/messages until I added the keep_hostname(yes)
argument.
>>>
>>> After doing that, it now puts the Windows logs into the appropriate
>>> folder under /var/log/hosts/ but it still puts a copy into the
>>> /var/log/messages file. I would like to have that log only contain
>>> log
>> messages from Opensuse.
>>>
>>> Is there a configuration setting I am missing, or is this caused by
>>> the fact that the syslog agent does not correct the eventlog message
>>> so that it adheres to the standard syslog message format? If the
>>> latter, does anyone know of an open source/free agent that does this?
>>>
>>> An example of one of the problematic messages is:
>>>
>>> Oct 6 11:02:08 cli-fs-1 security[success] 576 NT AUTHORITY\SYSTEM
>>> Special privileges assigned to new logon: User Name:CLI-FS-1$
>>> Domain:(obscured) Logon ID:(0x0,0x11331C8)
>>>
>>> Thanks,
>>>
>>> Jerry Riedel
>>>
>>>
>>>
>>> ____________________________________________________________________
>>> _
>>> _
>>> ________ Member info:
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>> _____________________________________________________________________
>> _
>> ______
>> __
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>> _____________________________________________________________________
>> _
>> ________ Member info:
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________
> ______
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng.conf
Type: application/octet-stream
Size: 7361 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101013/abc0a542/attachment.obj
More information about the syslog-ng
mailing list