EdwardTim / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
0 stars 0 forks source link

Split up messages #46

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hi,

I would like to recieve 1 syslog message per event log message.

Currently I'm getting:

2011-07-27T14:52:42.041701+02:00 192.168.20.55 [...] ▒#010#022▒#036L<29>Jul 
27 14:52:59 xxx xxx: Security-Auditing: 4673: [...]<29>Jul 27 14:52:59 xxx xxx: 
[...]<29>Jul 27 14:52:59 xxx xxx: Security-Auditing: 4648: [...]

I would like to receieve one line per Event.

Thanks!

morphium

PS: I'm using TCP

Original issue reported on code.google.com by theodor....@gmail.com on 27 Jul 2011 at 12:56

GoogleCodeExporter commented 8 years ago
Morphium, could you tell me what OS you are running and which syslog server you 
are using?

Also, how did you get the data you added to the issue, is it from your syslog 
server or from a tool like wireshark? I'm interested in knowing what the 
separating characters are. the [...]

Original comment by sherwin....@gmail.com on 1 Aug 2011 at 4:23

GoogleCodeExporter commented 8 years ago
Hi,

I'm using Server 2008 R2 on the eventlog-to-syslog - side.
On the server side, it's rsyslog (on gentoo).
We already tried different log formats, this one looks best (standard syslog 
format).

The line I pasted is from the Server log itself, it looks like: 
2011-07-31T22:29:15.791311+02:00 192.168.20.55 nto: SophosSAUWSM-TEST0 
Arbeitsstation: XXXXXXXX Fehlercode: 0x0<29>Jul 31 22:30:16 XXXXXXXX xxxxxxxx: 
Security-Auditing: 4648: Anmeldeversuch mit expliziten Anmeldeinformationen. 
Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: XXXXXXXX$ Kontodomäne: 
yyyyyyyyy Anmelde-ID: 0x3e7 Anmelde-GUID: 
{00000000-0000-0000-0000-000000000000} Konto, dessen Anmeldeinformationen 
verwendet wurden: Kontoname: SophosSAUWSM-TEST0 Kontodomäne: XXXXXXXX 
Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Zielserver: 
Zielservername: localhost Weitere Informationen: localhost 
Prozessinformationen: Prozess-ID: 0xd9c Prozessname: 
C:\Windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe Netzwerkinformationen: 
Netzwerkadresse: - Port: - Dieses Ereignis wird bei einem Anmeldeversuch durch 
einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos 
angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. 
B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird.<29>Jul 
31 22:30:16 XXXXXXXX xxxxxxxx: Security-Auditing: 4624: Ein Konto wurde 
erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: 
XXXXXXXX$ Kontodomäne: yyyyyyyyy Anmelde-ID: 0x3e7 Anmeldetyp: 5 Neue 
Anmeldung: Sicherheits-ID: S-1-5-21-3405417-2020991102-1438646732-1000 
Kontoname: SophosSAUWSM-TEST0 Kontodomäne: XXXXXXXX Anmelde-ID: 0x1bac21fb 
Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Prozessinformationen: 
Prozess-ID: 0xd9c Prozessname: 
C:\Windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe Netzwerkinformationen: 
Arbeitsstationsname: XXXXXXXX Quellnetzwerkadresse: - Quellport: - Detaillierte 
Authentifizierungsinformationen: Anmeldeprozess: Advapi 
Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur 
NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer 
Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den 
zugegriffen wurde. Die Antragstellerfelder geben das Konto auf dem lokalen 
System an, von dem die Anmeldung angefordert▒#▒▒XO<29>Jul 31 22:30

It looks like you're using some multiline feature, so thats why I wrote I would 
like to receive one Event per line :)

Thanks for your time!
morphium

Original comment by theodor....@gmail.com on 1 Aug 2011 at 6:15

GoogleCodeExporter commented 8 years ago
Sorry for the delay. I recently rebuilt my system and have not gotten my test 
VMs back on this machine yet. If possible could you conduct a test using Kiwi 
Syslog Server. It's free and it's what I used to test it originally. Also, if 
you have wireshark available do a capture and see what is actually coming 
across the wire.

I did a check of the code and there is nothing unusual going on there. Each 
event should get its own packet unless Windows is doing some caching (which I 
highly doubt). I know when I tested it it worked as expected. If you don't have 
the ability to do the testing right now I will get my environment set up this 
weekend and check.

Original comment by sherwin....@gmail.com on 4 Aug 2011 at 6:01

GoogleCodeExporter commented 8 years ago
I use syslog-ng and I am getting the same results

Original comment by james.ki...@gmail.com on 7 Nov 2011 at 8:21

GoogleCodeExporter commented 8 years ago
I don't really think this is related, but is your syslog server set to
expect UTF-8 messages?

-Sherwin

On Nov 7, 2011, at 3:22 PM, "eventlog-to-syslog@googlecode.com"
<eventlog-to-syslog@googlecode.com> wrote:

Original comment by sherwin....@gmail.com on 7 Nov 2011 at 10:42

GoogleCodeExporter commented 8 years ago
Here is an output from tcpdump (2 packets). It looks to me like it is combining 
events in a single packet and seems to be using <29> or <27> to separate events.

Is this the expected behavior?

07:19:51.715860 IP jimmykang.hartlee.lan.57647 > nagios.hartlee.lan.5514: Flags 
[P.], seq 1:201, ack 1, win 46, options [nop,nop,TS val 33470222 ecr 
123772576], length 200
E.....@.@.0.
..8
..4./...vz ..g.....qx.....
.....`..<29>Nov  8 10:03:08 SERVER2 Eventlog to Syslog Service Started: Version 
4.4 (64-bit)<29>Nov  8 10:03:08 SERVER2 Flags: LogLevel=0, IncludeOnly=False, 
EnableTcp=True, IncludeTag=False, StatusInterval=0
07:19:51.715906 IP nagios.hartlee.lan.5514 > jimmykang.hartlee.lan.57647: Flags 
[.], ack 201, win 972, options [nop,nop,TS val 123772577 ecr 33470222], length 0
E..4.^@.@..i
..4
..8.../..g..vz.....<#.....
.`......
07:20:41.765883 IP jimmykang.hartlee.lan.57647 > nagios.hartlee.lan.5514: Flags 
[P.], seq 201:697, ack 1, win 46, options [nop,nop,TS val 33475330 ecr 
123772577], length 496
E..$..@.@./.
..8
..4./...vz...g............
.....`..<27>Nov  8 10:03:55 SERVER2 Security-Auditing: 4957: Windows Firewall 
did not apply the following rule: Rule Information: ID: CoreNet-IPHTTPS-In 
Name: Core Networking - IPHTTPS (TCP-In) Error Information: Reason: Local Port 
resolved to an empty set.<27>Nov  8 10:03:55 SERVER2 Security-Auditing: 4957: 
Windows Firewall did not apply the following rule: Rule Information: ID: 
CoreNet-Teredo-In Name: Core Networking - Teredo (UDP-In) Error Information: 
Reason: Local Port resolved to an empty set.

Original comment by james.ki...@gmail.com on 8 Nov 2011 at 4:26

GoogleCodeExporter commented 8 years ago
I also just verified that this only happens in TCP mode. There is no problem in 
udp mode.

Original comment by james.ki...@gmail.com on 8 Nov 2011 at 5:15

GoogleCodeExporter commented 8 years ago
I think I have an idea of the cause. I will take a look. The <##> you
see is the start of each syslog message.

-Sherwin

On Nov 8, 2011, at 12:16 PM, "eventlog-to-syslog@googlecode.com"
<eventlog-to-syslog@googlecode.com> wrote:

Original comment by sherwin....@gmail.com on 8 Nov 2011 at 6:19