I am trying to configure central loghost RSyslog version 3.22.1 on CentOS 5.5
i386 to log windows workstations Event Logs.
On the windows side I use LogParser 2.2.
Everything works fine with UDP. When I swap to TCP, the first message is Ok,
but next messages start with <14> and they do not separate, each message on
new line.
Let me show you some examples:
UDP:
Jun 18 13:50:51 OIT03 Windows: Security 1102 8 Success Audit event The audit
log was cleared. Subject: Security ID:
S-1-1-11-1111111111-1111111111-1111111111-1111 Account Name: Macko Domain Name:
OIT03 Logon ID: 0x465b0
Jun 18 13:53:08 OIT03 Windows: Security 4776 16 Failure Audit event The domain
controller attempted to validate the credentials for an account. Authentication
Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a
Jun 18 13:53:10 OIT03 Windows: Security 4776 16 Failure Audit event The domain
controller attempted to validate the credentials for an account. Authentication
Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a
TCP:
Jun 18 13:50:51 OIT03 Windows: Security 1102 8 Success Audit event The audit
log was cleared. Subject: Security ID:
S-1-1-11-1111111111-1111111111-1111111111-1111 Account Name: Macko Domain Name:
OIT03 Logon ID: 0x465b0 <14>Jun 18 13:53:08 OIT03 Windows:Security 4776 16
Failure Audit event The domain controller attempted to validate the
credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:10 OIT03
Windows:Security 4776 16 Failure Audit event The domain controller attempted to
validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:13 OIT03
Windows:Security 4776 16 Failure Audit event The domain controller attempted
to validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Log on Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:28 OIT03
Windows:Security ...
TCP IN DEBBUG MODE:
3037.255100375:imtcp.c: error: message received is larger than max msg size, we
split it
3037.255470975:imtcp.c: logmsg: flags 0, from '10.10.1.51', msg Jun 18 13:50:51
OIT03 Windows:Security 1102 8 Success Audit event The audit log was cleared.
Subject: Security ID: S-1-1-11-1111111111-1111111111-1111111111-1111 Account
Name: Macko Domain Name: OIT03 Logon ID: 0x465b0 <14>Jun 18 13:53:08 OIT03
Windows:Security 4776 16 Failure Audit event The domain controller attempted to
validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:10 OIT03
Windows:Security 4776 16 Failure Audit event The domain controller attempted to
validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source
Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:13 OIT03
Windows:Security 4776 16 Failure Audit event The domain controller attempted to
validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGeE°řą´śTŰ`ű(˛´ś:
`ű(˛´śÎW8ÚĐ
`űa8x˛´śf
xŃŃPŰPŰXë8ÚŔâł´ś |đŇc¸˛´śŢĎďxŃŃ8
ŃÉ´|đřÓ´śůäďł´śô˛´śł´ł´śř˛´śł´śł´ś°Ň<14>Jun 18 13:50:51 OIT03 Windows:Security
...
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
