MonitorWare Knowledge Base

I want to use EventReporter to forward Windows event logs to a syslog server.

Will I still maintain a copy of the event log on the originating system?

Thanx
sbg31

Yes, the event log is never reset. EventReporter keeps track of what it already sent and only forwards new entries. But, again, it does not delete anything.

I hope this helps,
Rainer Gerhards
Adiscon

Thanx that's what I needed

sbg31

What happens when the Client is physically disconnected from the Syslog Sever (Kiwi Syslog Daemon)? Maybe a user is working offline. Are any windows security events lost? does the eventreporter service know it has lost the connection?

Actually, it depends on the transmission protocol you are using. If you use UDP syslog, there is no way for EventReporter to detect that the message could not be sent. This is by UDP design (and the design of the syslog protocol, which does not supply a message acknowledge). However, if you use TCP, EventReporter will see it can't send to the syslog server and queue processing. Plain TCP is non-standard, but our syslog server (http://www.winsyslog.com) supports it. We also support standard TCP syslog via RFC 3195, but to the best of my knowledge no other product besides SDSC syslog does currently support it.

HTH
Rainer