Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

Windows eventlogs to a syslog server

Problems configuring syslog in your device or application? Turn to this group for peer discussions.

Moderator: alorbach

Google Ads


Windows eventlogs to a syslog server

Postby Phil » Wed Jul 20, 2005 4:03 pm

Hi !

i'm trying to send Windows event logs to a syslog server.

The logs I receive from the windows agent are Windows-like logs and not linux-like logs. Is there a way to change the windows clients so the output is more unix-like messages ?

Windows-like event syslog message :

Jul 20 13:46:29 WP1146/192.168.60.76 MSWinEventLog 2 Application 1 Mon Jul 18 17:56:54 2005 1 EvtSys Unknown User N/A Error WP1146 None Invalid log host: "newhostname" 0

Does anyon eknow if it's possible to have an output like this :

Jul 20 13:46:29 WP1146 : Error WP1146 None Invalid log host: "newhostname" (which is very similar to linux logs)

Thank you

Phil
Phil
 

Postby rgerhards » Thu Jul 21, 2005 9:40 am

Hi Phil,

I have to admit I am a bit puzzled from your sample. Is this an actual sample of just a hypothetical one?

In general, the text itself is based on what the Windows application generates. With EventReporter and MonitorWare Agent, you can reformat the message (via the PostProces Action), but it would be a massive amount of work to do this for all messages. The problem is that if you would like to change the actual message text, you would need to do this on a message-by-message basis. However, if you would just like to shuffle some fields inside the message, that is easy.

I would appreciate if you could post some actual sample data (from the system event log, for example), so that we can see what can be tweaked.

HTH
Rainer
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Windows event logs to a syslog server

Postby Phil » Thu Jul 21, 2005 3:08 pm

Thx 4 the answer.

>I have to admit I am a bit puzzled from your sample. Is this an actual sample of just a hypothetical one?

na, that is a real log (yes, I know...) I received on my syslog server from a Windows box.
i'm doing log filtering upon some keywords, and the eventlogs I receive from windows boxes can't be processed with the log-checker app I'm using with that output format.

>In general, the text itself is based on what the Windows application generates. With EventReporter and MonitorWare Agent, you can reformat the message (via the PostProces Action), but it would be a massive amount of work to do this for all messages. The problem is that if you would like to change the actual message text, you would need to do this on a message-by-message basis. However, if you would just like to shuffle some fields inside the message, that is easy.

I don't want to change all the messages. Just the format of it.
I'd like to remove all the fields (or tokens) and keep something like :

<timestamp> <machine> : <message>

as a linux log...

>I would appreciate if you could post some actual sample data (from the system event log, for example), so that we can see what can be tweaked.

This is a windows eventlog I received today :

Jul 21 15:01:27 WP1146/192.168.60.76 MSWinEventLog 2 System 2 Wed Jul 20 15:00:17 2005 7000 Service Control Manager Unknown User N/A Error WP1146 None The service failed to start due to the following error: The system cannot find the file specified. 1

I'd like to see something like this :

Jul 21 15:01:27 WP1146/192.168.60.76 : The service failed to start due to the following error: The system cannot find the file specified.
Phil
 

Postby rgerhards » Thu Jul 21, 2005 4:02 pm

OK, let me check the config. Not sure if I'll be able to manage it in the (short;)) rest of today, but I'll provide you a sample soon. Question, though: are you using MonitorWare Agent or EventReporter?

Rainer
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Google Ads



Return to Configuring Syslog

Who is online

Users browsing this forum: No registered users and 0 guests

cron