[syslog-ng] Syslog-ng Windows Agent & WIN2008 Event Forwarding Subscription

Szilárd Szabó xilu87 at gmail.com
Tue Feb 8 12:52:23 CET 2011 

dear members

I installed Epilog and add the log [ForwardedEvents.evtx] file, but
dose't work, because, it's like a binary file.
Any idea to forward ForwardedEvents subscriptions?

I try Syslog-ng Windows Agent, Splunk, Snare, Snare Epilog, EvtSys.

BUT,

I try Solarwings Log Forwarder For Windows. This is the one, which works.
But I have a problem whit it too. All Forwarded Events appears in on
one host/ip in syslog-ng.

Any IDEA? or other Applications? Which works!
Or any solutions which works whit Windows Server 2008 Event Subscription?
(but I do not want to migrate again)


UI: syslog-ng support team can't reproduced these mistake, what i have.


Regards Szilard Szabo

2011/1/23 Zoltán Pallagi <pzolee at balabit.hu>:
> 2011.01.23. 17:38 keltezéssel, Martin Holste írta:
>> Bah, too bad!  Thanks a lot, Microsoft.  Nice that they finally put
>> together some sort of log forwarding in the least inter-operable way
>> possible.
>>
>> Your next option might be to install Epilog (similar to Snare) and
>> forward the flat files the log subscription is writing out.
>
> Well, as far as I know,  the free snare clients can send logs only via
> UDP that is not lossless . So if you want to forward your logs via TCP
> or TLS to a syslog-ng server, I think the best solution is to use
> syslog-ng agent, because BalaBit develop both products, and we take care
> of the best interoperability of syslog-ng agent and syslog-ng.
>
> Of course, if you would like to use free softwares, you can use other
> programs on your windows (only syslog-ng PE includes agent, so it's not
> free), but from the point of my view, when you want to collect logs from
> thousands of windows servers, the cost is not the basic aspect.
>
>> 2011/1/23 Szilárd Szabó<xilu87 at gmail.com>:
>>> I try it.
>>> Negative :(
>>>
>>>
>>> 2011/1/22 Martin Holste<mcholste at gmail.com>:
>>>>>      I am not sure that these programs can forward events coming from
>>>>>      other windows forwarded by WinRM. (so these events are in
>>>>>      ForwardedEvents store on the server, and syslog-ng agent forward
>>>>>      these forwarded events to a syslog-ng).
>>>>>
>>>>>      Can you confirm that these programs can do it?
>>>>>
>>>> I have not tried EvtSys with subscriptions, but I know that by default
>>>> it will forward all sources (Security, Application, etc.) including
>>>> any custom or otherwise non-standard sources.  If ForwardedEvents is
>>>> considered a source, it will be forwarded along with everything else.
>>>> I should also point out that you can configure EvtSys to filter out
>>>> messages in a granular way with some registry keys if you don't want
>>>> everything.
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>
>>>
>>>
>>> --
>>> Üdvözlettel / Regards Szabó Szilárd
>>> ====================
>>> http://szaboszilard.info
>>>
>>> This message and any attachment(s) are intended only for the use of
>>> the named recipient and may contain information that is privileged,
>>> confidential or otherwise exempt from disclosure under applicable law.
>>> If you are not the intended recipient, please notify the sender by
>>> return e-mail and delete this message from your system. Do not
>>> disclose the contents of this document to any other persons. Violation
>>> of this notice may be unlawful. Please note that internet
>>> communications are not secure and e-mails are susceptible to change.
>>> Thank you for your cooperation
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
> --
> pzolee
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list