Back to your phpLogCon instanceWe are using monitorware to forward Event logs to a syslog server.
The resulting syslog msg dont have the Event IDs in them.
How can we make Event ID part of the actual msg?
Thanks,
Omar
Event ID in the syslog msg
Moderator: alorbach
3 posts • Page 1 of 1
by wrehman » Thu Jun 24, 2004 7:47 am
Dear Omar,
You are probably sending the messages using "Forward via Syslog" action. Please send the Event Log messages using "Send SETP" and create an SETP server on the receiving end. This will solve your problem
Best Regards
Wajih
Adiscon
You are probably sending the messages using "Forward via Syslog" action. Please send the Event Log messages using "Send SETP" and create an SETP server on the receiving end. This will solve your problem
Best Regards
Wajih
Adiscon
-
wrehman - Adiscon Support
- Posts: 75
- Joined: Tue Mar 18, 2003 9:30 am
by rgerhards » Thu Jun 24, 2004 8:28 am
Hello Omar,
there are many ways to include the event id even without using SETP (which is obviously not an option if you would like to send to a non-Adiscon backend).
Let me say the options I see:
1. Use XML Format
This is the best option. With XML format, you get everything we know about this event and you get it in a well-structured way. It includes all of the properties described in our event properties reference at
http://www.mwagent.com/en/Manual/curren ... erties.htm
To enable XML format, simply check "Use XML to Report" in the "Forward Syslog" Action (see http://www.mwagent.com/en/Manual/curren ... ptions.htm .
2. Use your own custom format
In the "Forward Syslog" action, you can specify your own custom format in the "message format" text box. It defaults to %msg%, but you can include whatever you like. Use the "insert" link to do this (or type it). Be sure to read the property replacer documentation to see the full power:
http://www.mwagent.com/en/Manual/curren ... placer.htm
This is also a very good option, especially if you intend to parse the data... because *you* can exactly specify what you would like to see.
3. Use MoniLog Format
This is our former legacy format. It includes a bunch of useful information, but it has a number of anomalies, which might hit you in few cases when parsing. I do not recommend it, but if you would like to use it, you can select the "insert" link in the "Forward Syslog" action's properties. Then, select "Replace with MoniLog Format". It will generate a custom format of this type:
##
%severity% %timereported:::uxTimeStamp%: %source%/%sourceproc% (%id%) - "%msg%"
##
Again, I do not recommend this, but it is a way.
4. Change Event Log Monitor Settings
You could also change the event log monitor itself to generate the legacy format. Then, you do not need to change the "Forward Syslog" action's settings. The big drawback is that now the event log monitor does emit an old format, which is not meant to be processed by any other MonitorWare product. If you just use the product as a back-end for your own front-end, this is not an issue. Anyhow, I still recommend that you go for approach #3 instead of this.
If you absolutely want to do it this way, this is how it is done:
Go to the event log monitor properties. Click on the "Advanced Options" button. Check the "Use Legacy Format" checkbox. This will enable some other checkboxes. Review the manual (http://www.mwagent.com/en/Manual/curren ... nitor1.htm) to see which of these you want.
I've provided you the options at hand. I *strongly* recommend you go for either option 1 or 2. If you go for 3 or 4, please do not turn to us if you receive a parsing error from time to time - because this is what was solved by the newer formats
.
As a general hint, you may want to take into account that Windows log messages can become rather lenghty. They often go over the syslog RFC size of 1024 bytes. If you run a non-Adiscon syslog server, you need to ensure it can receive such large messages, because otherwise some information might be missing (with option 2, you can customize what you would like to be missing in such cases - by limiting the size of %msg% via the property replacer).
I hope this information is helpful for you.
Best regards,
Rainer Gerhards
Adiscon
there are many ways to include the event id even without using SETP (which is obviously not an option if you would like to send to a non-Adiscon backend).
Let me say the options I see:
1. Use XML Format
This is the best option. With XML format, you get everything we know about this event and you get it in a well-structured way. It includes all of the properties described in our event properties reference at
http://www.mwagent.com/en/Manual/curren ... erties.htm
To enable XML format, simply check "Use XML to Report" in the "Forward Syslog" Action (see http://www.mwagent.com/en/Manual/curren ... ptions.htm .
2. Use your own custom format
In the "Forward Syslog" action, you can specify your own custom format in the "message format" text box. It defaults to %msg%, but you can include whatever you like. Use the "insert" link to do this (or type it). Be sure to read the property replacer documentation to see the full power:
http://www.mwagent.com/en/Manual/curren ... placer.htm
This is also a very good option, especially if you intend to parse the data... because *you* can exactly specify what you would like to see.
3. Use MoniLog Format
This is our former legacy format. It includes a bunch of useful information, but it has a number of anomalies, which might hit you in few cases when parsing. I do not recommend it, but if you would like to use it, you can select the "insert" link in the "Forward Syslog" action's properties. Then, select "Replace with MoniLog Format". It will generate a custom format of this type:
##
%severity% %timereported:::uxTimeStamp%: %source%/%sourceproc% (%id%) - "%msg%"
##
Again, I do not recommend this, but it is a way.
4. Change Event Log Monitor Settings
You could also change the event log monitor itself to generate the legacy format. Then, you do not need to change the "Forward Syslog" action's settings. The big drawback is that now the event log monitor does emit an old format, which is not meant to be processed by any other MonitorWare product. If you just use the product as a back-end for your own front-end, this is not an issue. Anyhow, I still recommend that you go for approach #3 instead of this.
If you absolutely want to do it this way, this is how it is done:
Go to the event log monitor properties. Click on the "Advanced Options" button. Check the "Use Legacy Format" checkbox. This will enable some other checkboxes. Review the manual (http://www.mwagent.com/en/Manual/curren ... nitor1.htm) to see which of these you want.
I've provided you the options at hand. I *strongly* recommend you go for either option 1 or 2. If you go for 3 or 4, please do not turn to us if you receive a parsing error from time to time - because this is what was solved by the newer formats
.
As a general hint, you may want to take into account that Windows log messages can become rather lenghty. They often go over the syslog RFC size of 1024 bytes. If you run a non-Adiscon syslog server, you need to ensure it can receive such large messages, because otherwise some information might be missing (with option 2, you can customize what you would like to be missing in such cases - by limiting the size of %msg% via the property replacer).
I hope this information is helpful for you.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Google Ads
3 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest
