EventReporter/PhpLogCon issues

Support, Questions and Discussions on EventReporter

Moderator: alorbach

Google Ads


EventReporter/PhpLogCon issues

Postby wendtmk » Wed Aug 05, 2009 1:44 pm

I'm posting this to both the EventReporter and phpLogCon forums because I'm not entirely sure where the problem lies with my installations. Here's the system setups:

phpLogcon machine:
RH Linux ES 5 (64 bit) 2.6.18-128.2.1.el5xen

rsyslogd 4.2.0, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No

Apache v2.2.3

php (with gd support) php-5.1.6-23.2.el5_3 (RH versioning)

phpLogCon v2.7.1


EventReporter machine:

Windows Server 2008 SP2 (32 bit)

EventReporter version 10.2.320
Client Version 10.2.260


Here's the problem we seem to be having. Windows events are sent to the Linux server, accepted via rsyslogd to a text file, and read by phpLogCon. phpLogCon is a stock install, not using a database but a flat text file. When a web browser is opened to the phpLogCon page, with the View set to Eventlog, the Date, Host and Message fields are populated, but the Severity, EventLog Type, Event Source, Event ID and Event User are empty.

On the EventReporter side, under Configured Services, I'm using the Event Log Monitor v2.2, with just the System event box checked, Local 6 facility used for the rsyslog deamon, and all types of events checked to send.

Under Rule Sets, I've got the correct IP address for the rsyslog server, standard port 514 set, using UDP, with the default stuff in the Message Options box. The Syslog Processing box is currently set to "Use Legacy RFC 3164 Processing", though I've tried the other selections in the pull-down choices as well.

I've obviously got something set not quite right, but I'm at a loss as to what else needs to be configured to populate those other fields. We're only going to be monitoring Windows 2008 servers through this setup, so I'm not terribly concerned with screwing up phpLogCon's view of *nix log files.

If there's any other information you need for me to post, please let me know and I'll get it up here as quickly as I can.

Thanks,
Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Wed Aug 05, 2009 2:32 pm

Hi,

I removed the other duplicated thread. I am currently working on an article which sums up what you need to configure to get Eventreporter working with rsyslog and phpLogCon.
On the Eventreporter side, you need this format in your forward Syslgo Action:
Code: Select all
%id%,%user%,%sourceproc%,%NTEventLogType%,%severity%,%category%,%msg%%$CRLF%


On the rsyslog side you need this template for the file output:
Code: Select all
$template WinSyslogFmt,"%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%HOSTNAME%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"


Then you need to specify "eventlog" in the message parser field in your phpLogCon logstream source.
After you have configured all this, you should be able to see EventLog fields proberly in phpLogCon.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Wed Aug 05, 2009 2:48 pm

alorbach wrote:Hi,

I removed the other duplicated thread. I am currently working on an article which sums up what you need to configure to get Eventreporter working with rsyslog and phpLogCon.
On the Eventreporter side, you need this format in your forward Syslgo Action:
Code: Select all
%id%,%user%,%sourceproc%,%NTEventLogType%,%severity%,%category%,%msg%%$CRLF%


On the rsyslog side you need this template for the file output:
Code: Select all
$template WinSyslogFmt,"%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%HOSTNAME%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"


Then you need to specify "eventlog" in the message parser field in your phpLogCon logstream source.
After you have configured all this, you should be able to see EventLog fields proberly in phpLogCon.

best regards,
Andre Lorbach


Andre,

I'll give that a whirl. I'm guessing that on the rsyslog side, that line needs to go into the rsyslog.conf?

Thanks,
Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Wed Aug 05, 2009 3:08 pm

Hi,

yes I forgot to mention this, yes it goes into the rsyslog.conf ;)

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Wed Aug 05, 2009 3:22 pm

Okay, I inserted the template line into the rsyslog.conf on the phpLogCon machine, and the format string into the EventReporter Message Format box. I then edited the config.php to use "eventlog" instead of "syslog" - $CFG['Sources']['Source1']['LogLineType'] = 'eventlog';.

When I fire up the phpLogCon page in the web browser I get this:

Critical Error occured
Errordetails: Couldn't locate LineParser include file './classes/logstreamlineparsereventlog.class.php'

Did I change the wrong field, the wrong file, or both?

Thanks,
Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Wed Aug 05, 2009 3:27 pm

"Messageparser" not loglineparser.

regards,
Andre
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Wed Aug 05, 2009 3:38 pm

alorbach wrote:"Messageparser" not loglineparser.

regards,
Andre


Okay... ;-) Where would that be located?

Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Thu Aug 06, 2009 1:31 pm

Andre,

I scoured through the phplogcon directory looking for a file where I would change the "Messageparser" field to eventlog, but was unable to locate that. I'm missing something here about what exactly I need to change.

Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Thu Aug 06, 2009 4:15 pm

Andre,

Okay, I finally found the line you were talking about and added it into the mix, with eventlog as the message parser. All the fields are now filled, with the exception of the "Severity" field. is there an additional change I need to make to get this field populated on the web page? The severity is showing up in the syslog file as a text field - ie; [INF], [WRN], etc, but it isn't making it to the web page.

Thanks,
mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Fri Aug 07, 2009 9:31 am

Hi Mark,

this is strange, can you post a few sample lines from your logfile, then I can verify if the format is correct.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Fri Aug 07, 2009 10:56 am

Andre,

Sure thing:

2009-08-06 11:01:13,2009-08-06 11:01:13,DCHOTEL1.spacenet.nrl.navy.mil,22,6,EvntSLog- RealSource:"DC
HOTEL1.spacenet.nrl.navy.mil" 7036,N\A,Service Control Manager,System,[INF],0,The Adiscon EvntSLog s
ervice entered the stopped state.
2009-08-06 11:01:13,2009-08-06 11:01:13,DCHOTEL1.spacenet.nrl.navy.mil,22,6,EvntSLog- RealSource:"DC
HOTEL1.spacenet.nrl.navy.mil" 105,N\A,Adiscon EvntSLog,Application,[INF],0,The service was started.
2009-08-06 11:01:13,2009-08-06 11:01:13,DCHOTEL1.spacenet.nrl.navy.mil,22,6,EvntSLog- RealSource:"DC
HOTEL1.spacenet.nrl.navy.mil" 7036,N\A,Service Control Manager,System,[INF],0,The Adiscon EvntSLog s
ervice entered the running state.
2009-08-06 11:02:12,2009-08-06 11:02:12,DCHOTEL1.spacenet.nrl.navy.mil,22,6,EvntSLog- RealSource:"DC
HOTEL1.spacenet.nrl.navy.mil" 108,N\A,Adiscon EvntSLog,Application,[INF],0,The service was stopped.
2009-08-06 11:02:15,2009-08-06 11:02:15,DCHOTEL1.spacenet.nrl.navy.mil,22,6,EvntSLog: RealSource:"DC
HOTEL1.spacenet.nrl.navy.mil" 118,N\A,Adiscon EvntSLog,Application,[INF],0,EventReporter is running
in trial mode. 24 days left

Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Fri Aug 07, 2009 11:10 am

Hrm the format looks ok to me, can you show me how you have configured the logstream source?
And how you view in phplogcon looks like?

You can send me those as screenshot to alorbach@adiscon.com if you do not want to post them in public.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Fri Aug 07, 2009 11:17 am

Andre,

Here's the lines in my config.php:

Code: Select all
$CFG['DefaultSourceID'] = 'Source1';
$CFG['Sources']['Source1']['ID'] = 'Source1';
$CFG['Sources']['Source1']['Name'] = 'My Syslog Source';
$CFG['Sources']['Source1']['ViewID'] = 'EVTRPT';
$CFG['Sources']['Source1']['SourceType'] = SOURCE_DISK;
$CFG['Sources']['Source1']['MsgParserList'] = "eventlog";
$CFG['Sources']['Source1']['LogLineType'] = 'syslog';
$CFG['Sources']['Source1']['DiskFile'] = '/var/log/winders.log';


I'll send the screen shot to your email.

Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Re: EventReporter/PhpLogCon issues

Postby alorbach » Fri Aug 07, 2009 11:20 am

I think I see the problem ;)
Try to use this loglinetype, it matches the format which is emulated by this rsyslog template.

Code: Select all
$CFG['Sources']['Source1']['LogLineType'] = 'winsyslog';


best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventReporter/PhpLogCon issues

Postby wendtmk » Fri Aug 07, 2009 11:34 am

Andre,

That hosed my view. I sent the screen capture in an email

Mark
wendtmk
Advanced
 
Posts: 26
Joined: Wed Aug 05, 2009 1:11 pm

Google Ads


Next

Return to EventReporter

Who is online

Users browsing this forum: No registered users and 0 guests

cron