locked
SYSLog output RRS feed

  • Question

  • User531388329 posted

    I have the following information

    Source servername: xyz123

    Eventlog :Security

    Eventlog Filtering facility: -local6

    Target syslogserver: ABC123 Port:514

    Target Filename: windows.log

    How I can retrieve the last 15 minutes data from the source server's security eventlog for the facility:local6 and send it to the syslog server?

    I tried different option in logparser with and without config file. Nothing did a trick.

    Somebody please show me the trick.

    Tuesday, August 21, 2007 2:21 AM

Answers

  • User531388329 posted

    This is what I did

    1. Create folder C:\DRV\LogParser

    2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser

    3 Created C:\DRV\LogParser\QUERY.SQL with the following statement

    SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))

    4. Created C:\DRV\LogParser\Syslogparser.bat with the following statement

    LogParser.exe file:Query.sql -o:SYSLOG -facility:local6

    5. Scheduled the C:\DRV\LogParser\Syslogparser.bat to be executed every 15 minutes.

    6. Repeat step 1 to 5 on all the servers.

    Note: @xxx.yyy.jjj.com:514  should be your syslogserver and port address.

     

     

    Thanks for your help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, June 22, 2005 5:48 AM

All replies

  • User531388329 posted

    Windows does not have a concept of facility, that's a Syslog-, Unix-only concept.

    You need to come up with your own mapping that decides in which instances an event has a 'local6' facility. Once you decide that, then you can use one of the examples shown in the help file.

    As a side note, the following WHERE clause, when added to a query, will make it retrieve the last 15 minutes worth of logs:

    WHERE TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:00', 'hh:mm:ss'))

    Monday, May 23, 2005 8:26 AM
  • User531388329 posted

    I like to know sample command line to dump the entire security log on to a SYSLOG server

     

    Thursday, June 2, 2005 7:19 AM
  • User531388329 posted

    From the documentation:

    SELECT TimeGenerated,
           CASE SourceName
             WHEN 'EventLog' THEN 'mark'
             WHEN 'Service Control Manager' THEN 'daemon'
             WHEN 'Print' THEN 'lpr'
             WHEN 'Kerberos' THEN 'auth'
             WHEN 'NETLOGON' THEN 'logaudit'
             WHEN 'Application Popup' THEN 'local7'
             ELSE 'local0'
           END AS MyFacility,
           CASE EventTypeName
             WHEN 'Error event' THEN 'err'
             WHEN 'Warning event' THEN 'warning'
             WHEN 'Information event' THEN 'info'
             ELSE 'info'
           END AS MySeverity,
           ComputerName,
           STRCAT(SourceName, ':'),
           Message
    INTO @MYSERVER04
    FROM System

    Monday, June 6, 2005 5:23 PM
  • User531388329 posted
    Thank you very much.
    Wednesday, June 8, 2005 12:32 PM
  • User531388329 posted

    This is what I did

    1. Create folder C:\DRV\LogParser

    2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser

    3 Created C:\DRV\LogParser\QUERY.SQL with the following statement

    SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))

    4. Created C:\DRV\LogParser\Syslogparser.bat with the following statement

    LogParser.exe file:Query.sql -o:SYSLOG -facility:local6

    5. Scheduled the C:\DRV\LogParser\Syslogparser.bat to be executed every 15 minutes.

    6. Repeat step 1 to 5 on all the servers.

    Note: @xxx.yyy.jjj.com:514  should be your syslogserver and port address.

     

     

    Thanks for your help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, June 22, 2005 5:48 AM
  • User531388329 posted

    Wonderful!

    Mak, thanks a lot for posting the very first application of LogParser's SYSLOG output format!

    Thursday, June 23, 2005 7:39 AM
  • User531388329 posted
    No Worries. Just sharing my ignorance and experience.
    Thursday, June 23, 2005 9:04 AM