[syslog-ng] syslog-ng and ntsyslog
Balazs Scheidler
bazsi at balabit.hu
Fri Oct 15 22:19:22 CEST 2010
On Tue, 2010-10-12 at 16:02 +0200, Fiorenzi Alessandro wrote:
> Hi,
>
> We have syslog-ng 3.05 as log server, and datagram syslog agent on
> windows system (originary ntsyslog)
>
> form e windows 2003 server with syslogagent configure I have this
> event on eventviewer
>
>
>
> Event Type: Success Audit
>
> Event Source: Security
>
> Event Category: Logon/Logoff
>
> Event ID: 538
>
> Date: 10/12/2010
>
> Time: 12:26:43 PM
>
> User: DOMAINXXX\A.Fiorenzi
>
> Computer: XXXXXX
>
> Description:
>
> User Logoff:
>
> User Name: A.Fiorenzi
>
> Domain: DOMAINXXX
>
> Logon ID: (0x0,0xF78F137)
>
> Logon Type: 10
>
>
>
>
>
> and on syslog-ng server i get this:
>
>
>
>
>
> Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi
> User Logoff User Name: A.Fiorenz Domain:
> DOMAINXX Logo
>
> n ID: (0x0,0xF78F137 Logon Type: 1
>
>
>
>
>
> where the descrition field has UserName, Domain, logon ID an Logon
> Type cutted.
>
>
>
> I have record the network traffic via tcpdump and I have seen data
> arrive correctly.
>
> So have set in syslog-ng.conf options the statementlog_msg_size(8192);
>
> The problem is still open and I do not know how to solve, anyone can
> help me?
>
>
>
>
I'm not sure if you are using udp or tcp transport, but please note that
if you are using UDP, then probably IP fragmentation happens in case
your log message is more than 1492 octets. Can you include the original
tcpdump as you have seen it on the wire? Do you include the whole
message in your sample above? How long is the complete message as
trasnferred on the wire?
--
Bazsi
More information about the syslog-ng
mailing list