hanhongwen / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
0 stars 0 forks source link

No events logged to syslog #24

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Installed the 64 bit version on Windows 2008 R2 Server into the 
\Windows\System32 directory

2. Installed the service via:
  evtsys -i -h 172.18.1.59

3.  From the command line 
  net start evtsys

What is the expected output? What do you see instead?

Logs to be sent to the Fedora 14 syslog-ng server.  No logs are sent.

What version of the product are you using? On what operating system?

Windows 2008 R2 64 bit
Fedora 14 Syslog-ng server 64 bit
EvtSys 4.4 64 bit

Please provide any additional information below.

HKLM\Software\ECN\EvtSys\3.0
Default = not set
Facility = 3
IncludeOnly = 0
LogHost = 172.18.1.59
LogHost2 = 
LogLevel = 0
Port = 514
QueryDhcp = 0
StatusInterval = 1

Running via evtsys -d -h 172.18.1.59 I get the following every minute:
Feb  1 14:50:00 SHAREPOINT2010 Eventlog to Syslog Service Started: Version 4.4 
(64-bit)
Feb  1 14:50:00 SHAREPOINT2010 Flags: LogLevel=0, IncludeOnly=False, 
StatusInterval=1
Feb  1 14:50:55 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:51:56 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:52:57 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:53:59 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:55:02 SHAREPOINT2010 Eventlog to Syslog Service Running

Original issue reported on code.google.com by khei...@gmail.com on 1 Feb 2011 at 4:09

GoogleCodeExporter commented 9 years ago
Oh the evtsys.cfg file has nothing other than the blank default comments.

'!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!
'
'Comments must start with an apostrophe and
'must be the only thing on that line.
'
'Do not combine comments and definitions on the same line!
'
'Format is as follows - EventSource:EventID
'Use * as a wildcard to ignore all ID's from a given source
'E.g. Security-Auditing:*
'
'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix
'**********************:**************************

Original comment by khei...@gmail.com on 1 Feb 2011 at 4:17

GoogleCodeExporter commented 9 years ago
OK after a lot of debugging I think I know what is going on.  When setting up 
the filters the host is all capitals and within the syslog-ng it is matching 
the host from it as lowercase against the sent message is uppercase.  Once I 
figured this out then all is good.  Might be a good thing to put in the doco's.

Original comment by khei...@gmail.com on 2 Feb 2011 at 12:57

GoogleCodeExporter commented 9 years ago
Thanks for responding back with your solution. I will add this about syslog-ng 
to the docs.

Original comment by sherwin....@gmail.com on 2 Feb 2011 at 2:31