[syslog-ng] Windows Agent default install template

[Evan Rempel]

We are in the process of a hug log filtering/profiling project where we are using syslog-ng to
profile/classify *EVERY* message that comes through our syslog server.
This means that we will have 1,000's of patterns in our patterndb, but we accept that.

We have purchased the Syslog-ng Agent for Windows and are not profiling all of our Windows messages as well.

Now to the challenge. The default message template is very difficult to parse using the pattern database.
The problem is that many of the fields from a windows computer can contain spaces in them, and there
are no delimiters in the default template. Additionally, the $EVENT_ID that windows places on
each message, which is unique for each message type within the scope of each application that is logging, is placed
at the end of the log line after the free form dext description. making a patterndb pattern to parse through the
free form text just to get to the Event ID is very difficult.


I wanted to open the discussion of using a different, and IMHO much more usefull, default template
for MS Windows event logs. The pattern below has the following properties:

- wraps each field in a [] pair
- places the most definitive value, the Event ID, at the beginning of the template
- places the least definitive and unstructured data, EVENT_MESSAGE, at the end of the template


EventID[${EVENT_ID}] Log[${EVENT_NAME}] Type[${EVENT_TYPE}] User[${EVENT_USERNAME}] ${EVENT_MESSAGE}


Let the discussion begin!

Thanks for listening.

-- 
Evan Rempel