EventReporter on Win2k3 writing to UNIX syslog svr problem

Support, Questions and Discussions on EventReporter

Moderator: alorbach

Google Ads


EventReporter on Win2k3 writing to UNIX syslog svr problem

Postby raudy » Fri Nov 02, 2007 1:42 am

Hello all,

I have EventReporter v5.4.166 running on a Windows Server 2003 std edition SP1 server which logs to our UNIX syslog server.

I also have EventReporter v9.1.294 running on a Windows Server 2003 R2 Std SP2 which logs to the same UNIX syslog server, this is a new server and our unix admins advise that the format of the packet is different between the two versions of eventreporter.

This is an example of the packet from the v5 eventreporter;

10:11:36.280829 IP (tos 0x0, ttl 127, id 46516, offset 0, flags [none], proto 17, length: 462) XXX.XXX.XXX.XXX.2265 > XXX.XXX.XXX.XXX.514: [udp sum ok] UDP, length 434
0x0000: 4500 01ce b5b4 0000 7f11 cc1f c0a8 0305 E...............
0x0010: cb1c 2981 08d9 0202 01ba 3ab4 3c31 3333 ..).......:.<133
0x0020: 3e4d 6f6e 204f 6374 2032 3220 3130 3a31 >Mon.Oct.22.10:1
0x0030: 303a 3338 2032 3030 373a 2057 5344 4330 0:38.2007:.SVR11
0x0040: 322f 5365 6375 7269 7479 2028 3534 3029 2/Security.(540)
0x0050: 202d 2022 5375 6363 6573 7366 756c 204e .-."Successful.N
0x0060: 6574 776f 726b 204c 6f67 6f6e 3a20 5573 etwork.Logon:.Us
0x0070: 6572 204e 616d 653a 2043 5452 4131 3232 er.Name:.PC11111
0x0080: 3824 2044 6f6d 6169 6e3a 2048 5120 4c6f 8$.Domain:.AD.Lo
0x0090: 676f 6e20 4944 3a20 2830 7830 2c30 7842 gon.ID:.(0x0,0xB
0x00a0: 3438 3943 4229 204c 6f67 6f6e 2054 7970 489CB).Logon.Typ
0x00b0: 653a 2033 204c 6f67 6f6e 2050 726f 6365 e:.3.Logon.Proce
0x00c0: 7373 3a20 4b65 7262 6572 6f73 2041 7574 ss:.Kerberos.Aut
0x00d0: 6865 6e74 6963 6174 696f 6e20 5061 636b hentication.Pack
0x00e0: 6167 653a 204b 6572 6265 726f 7320 576f age:.Kerberos.Wo
0x00f0: 726b 7374 6174 696f 6e20 4e61 6d65 3a20 rkstation.Name:.
0x0100: 4c6f 676f 6e20 4755 4944 3a20 7b64 3630 Logon.GUID:.{d60
0x0110: 6638 3232 352d 6638 3137 2d61 3739 332d f8225-f817-a793-

And this is a packet from the v9 eventreporter;

09:33:49.279231 IP (tos 0x0, ttl 127, id 26239, offset 0, flags [none], proto 17, length: 154) XXX.XXX.XXX.XXX.2408 > XXX.XXX.XXX.XXX.514: [udp sum ok] UDP, length 126
0x0000: 4500 009a 667f 0000 7f11 1c26 c0a8 0368 E...f......&...h
0x0010: cb1c 2981 0968 0202 0086 5272 4c6f 676f ..)..h....RrLogo
0x0020: 6e20 6174 7465 6d70 7420 6279 3a20 4d49 n.attempt.by:.MI
0x0030: 4352 4f53 4f46 545f 4155 5448 454e 5449 CROSOFT_AUTHENTI
0x0040: 4341 5449 4f4e 5f50 4143 4b41 4745 5f56 CATION_PACKAGE_V
0x0050: 315f 3020 4c6f 676f 6e20 6163 636f 756e 1_0.Logon.accoun
0x0060: 743a 204d 5368 6172 6d61 2053 6f75 7263 t:.USerUser.Sourc
0x0070: 6520 576f 726b 7374 6174 696f 6e3a 205c e.Workstation:.\
0x0080: 5c41 5553 5432 3131 3020 4572 726f 7220 \PC111111.Error.
0x0090: 436f 6465 3a20 3078 3020 Code:.0x0.

I'm told the text in bold from the 1st packet, "<133>" advises the syslog server which facility to put the incoming msg in, this is missing from the packet from the v9 eventreporter.

I've tried to mirror the settings from the v5 install to the v9 install as best as i can, though i may have done something wrong - any help would be greatly appreciated

thanks!
raudy
New
 
Posts: 2
Joined: Fri Nov 02, 2007 1:14 am

Postby alorbach » Fri Nov 02, 2007 12:22 pm

Dear raudy,

if the syslog header is missing, this could be a result if the option "Process message while relaying" is disabled in the Forward Syslgo Action in your Eventreporter Configuration.

If not please send us an export of your configuration to support@adiscon.com, we will handle the support over there then.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Postby raudy » Tue Nov 06, 2007 12:42 am

Hello Andre,

Thanks for your reply, the option you mentioned was disabled, i enabled and the Unix Admin advises the format is better now.

Thanks for your help
raudy
New
 
Posts: 2
Joined: Fri Nov 02, 2007 1:14 am

Google Ads



Return to EventReporter

Who is online

Users browsing this forum: No registered users and 0 guests

cron