Just a guess, but could this be it? Could zebedee on the windows side be listening to udp:514 on the windows machine's IP address, and not 127.0.0.1? or vice versa?
Make sure that evtsys is sending to the same IP address that zebedee is listening on. Both should be either the machine's IP address or the 127.0.0.1 address. /Jason -- You can have my Mac when you pry it from my cold, dead hands. e:[EMAIL PROTECTED] v:514-815-8204 <quote who="Marcin Wasilewski"> > Hello, > > > thanks for Your reply. I think that Zebedee will be good, but I have some > problems with sending events through the tunnel I made with this. > > I ran: > zebedee -U -s on the syslog-ng server machine > > and on my Windows client machine: C:\Program Files\Zebedee>zebedee.exe -U > 1234:syslog-machine:22 > zebedee(3944/2384): Listening on local port 1234 > zebedee(3944/2384): Listening on local port 1234 > > > to test that I can connect by SSH on port 1234 on my localhost to > syslog-machine - and it works. > > then I changed it to tunnel UDP events to syslog C:\Program > Files\Zebedee>zebedee.exe -U 514:syslog-machine:514 > zebedee(968/2732): Listening on local port 514 > zebedee(968/2732): Listening on local port 514 > > > and changed the evtsys service to report events to my localhost: net stop > evtsys evtsys -u evtsys -i -h my_local_ip net start evtsys > > and nothing is send to syslog-machine....and I wonder why... Maybe You > have any ideas? > > Best regards > Marcin > > > > ----- Original Message ----- > From: "Michael Bryant" <[EMAIL PROTECTED]> > To: "Jason Taylor" <[EMAIL PROTECTED]> > Cc: "Marcin Wasilewski" <[EMAIL PROTECTED]>; > <[email protected]> > Sent: Sunday, July 23, 2006 3:00 AM > Subject: Re: [Php-syslog-ng-support] Secure log transfer to central log > server > > >> Gday, >> >> >> To add what Jason has said at the place I work we mainly collect event >> logs from windows servers, due to working in a legal environment to us >> data integrity is of the up most important. >> >> Our setup is as follows: >> >> >> Syslog on the windows server been feed to a central syslog-ng server >> over a secure tunnel (using Zebedee). When the data reaches the syslog-ng >> server the data is decrypted and then feed into a mysql database. The >> server is protected by using iptables and we run tripwire on the server >> every night to make sure that data integeraty is kept. >> >> Check out the following link of an email I sent to the syslog-ng mail >> list last year for more info. >> >> https://lists.balabit.hu/pipermail/syslog-ng/2005-June/007570.html >> >> >> I hope that will help. >> >> >> Kind Regards >> >> >> Michael >> >> >> Quoting Jason Taylor <[EMAIL PROTECTED]>: >> >> >>> I use our parallel backup backbone for log transfers. >>> All hosts feed via standard syslog (udp:514) to a syslog-ng collector >>> running on the backup server in each data centre. These then feed via >>> tcp:5140 to the central log server over an s- >>> tunnel (check sourceforge) connection. In order to tunnel via ssh or >>> stunnel, you need to be using TCP as a transport and not UDP. >>> >>> This keeps the individual hosts as "standard" as possible. I don't >>> want to have to worry about getting a syslog-ng package for each host, >>> not to mention what to do about the cisco or other equipment that only >>> supports regular syslog. So my take is to feed collectors in each >>> data-centre via standard udp syslog. >>> >>> As for the windows hosts, we are using ntsyslog, available via >>> sourceforge. >>> >>> Our Windows admins have packaged it up with a standard config and >>> include it in all server images. >>> >>> I am still wondering what to do for some measure of high availability >>> of the logs. One possibility is to have each syslog-ng collector of >>> each data- centre send to two separate central log servers, one in >>> Montreal, the >>> other in Toronto. Problem here is that SEQ numbers are out of sync >>> between the two databases. Another is to have some MySQL database >>> replication. A disadvantage here is that should the primary go down, >>> new log events will be dropped. >>> >>> I suppose if we really wanted to one step beyond, we could include >>> some sort of data-integrity field that is calculated at event- >>> generation time and provides an MD5 hash of the host, time/date and >>> syslog event data. Then, when logs are viewed, we could then >>> recalculate the hash and compare with the original. If done properly, >>> this would provide a layer of non-repudiation in case the logs are to >>> be used in a legal aspect. >>> >>> Cheers, >>> >>> >>> /Jason >>> >>> >>> >>> On Jul 21, 2006, at 6:16 AM, Marcin Wasilewski wrote: >>> >>> >>>> Hello, >>>> >>>> >>>> I have a question about secure central logging. How do You secure >>>> Your >>>> configurations , is it ssh tunelling or maybe something else? and >>>> what about events from Windows hosts ? My central log server is >>>> Debian, syslog-ng and mysql. >>>> Thanks for every info. >>>> >>>> >>>> Best regards >>>> Marcin >>>> >>>> >>>> >>>> ------------------------------------------------------------------- >>>> --- >>>> --- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>> share your opinions on IT & business topics through brief surveys -- >>>> and earn cash http://www.techsay.com/default.php? >>>> page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> Php-syslog-ng-support mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support >>>> >>> >>> >>> --------------------------------------------------------------------- >>> ---- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >>> share your opinions on IT & business topics through brief surveys -- >>> and earn cash >>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DE >>> VDEV >>> _______________________________________________ >>> Php-syslog-ng-support mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support >>> >>> >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys -- and earn > cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Php-syslog-ng-support mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Php-syslog-ng-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support
