MonitorWare Knowledge Base

Yes, that's exactly also my intention: all events from several W2k3 server to a central rsyslogd server (ubuntu 10.1.0.200) where I'll do any kind of filtering/etc...
But what I'm not understanding (in Purdue) is how I tell to send ALL events. I'm starting the service with evtsys -i -h 10.1.0.200 but on the destination I see only thos 'security' evts... ?!?
And then there's the problem of IP... events coming from my 'not joined' server have (apparently) NO IP (I know that's obviously false/wrong...) but look, after making last change, and test.log being correctly written, I get the following types of records:
-----------------------------
1) evt from LOCAL (ubuntu itself) everything is OK
TIME GEN: 2008-08-29T15:04:28.518352+02:00 HOSTNAME: ubuntu FROMHOST: ubuntu FROMIP: 127.0.0.1 FACILITY: 0 PRIORITY: 6 TAG: kernel: MSG: imklog 3.19.3, log source = /proc/kmsg started.
-----------------------------
2) evt from JOINED server, HOSTNAME OK, FROMHOST/FROMIP empty, should be 10.1.0.62...
TIME GEN: 2008-08-29T15:14:58.409857+02:00 HOSTNAME: bl6.istge.priv FROMHOST: ??? FROMIP: ??? FACILITY: 5 PRIORITY: 6 TAG: MSWinEventLog#0111#011Security#011912813#011Fri MSG: Aug 29 15:14:16 2008#011538#011Security#011Reale#011User#011Success Audit#011BL6#011Logon/Logoff#011#011User Logoff: User Name: Reale Domain: CED Logon ID: (0x6,0x941FA9E2) Logon Type: 3 #011911578
-----------------------------
3) evt from 'NOT joined' server, HOSTNAMEFROMHOST/FROMIP empty, should be NBVisintin 10.0.30.3
TIME GEN: 2008-08-29T15:25:01.732142+02:00 HOSTNAME: ??? FROMHOST: ??? FROMIP: ??? FACILITY: 3 PRIORITY: 3 TAG: Security: MSG: 861: NT AUTHORITY\SERVIZIO DI RETE: È stata rilevata un'applicazione in ascolto sul traffico in ingresso. Nome: - Percorso: C:\WINDOWS\system32\svchost.exe Identificatore processo: 812 Account utente: SERVIZIO DI RETE Dominio utente: NT AUTHORITY Servizio: Sì Server RPC: No Versione IP: IPv4 Protocollo IP: UDP Numero porta: 65016 Consentito: No Notifica utente: No
-----------------------------
Still trying to understand and learn...
Now I'll install SNARE on my NOT joined server then test.
If you have suggestion...
TIA
Luigi

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi,

I am obviously very biased on this topic, being the inventor of the eventlog-to-syslog industry There is a reason that there is EventReporter ( http://www.eventreporter.com ) and MonitorWare Agent ( http://www.mwagent.com ). EventReporter was the first ever program to convert event log to syslog and it still is the best It uses proper format, proper facilities, gives you the right severity perception plus is able to decode AD GUIDs, UUIDs ... and a thousand things more. Granted, it is not free, but it will save you a lot of time (plus, it funds rsyslog development). Oh - and did I mention it supports reliable delivery? You may want to give it a try...

Now back to our regular programming

Rainer