> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Peter Macko > Sent: Saturday, June 19, 2010 7:29 AM > To: [email protected] > Subject: [rsyslog] Windows-LogParser-TCP-RSyslog problem > > > I am trying to configure central loghost RSyslog version 3.22.1 on > CentOS 5.5 i386 to log windows workstations Event Logs. > On the windows side I use LogParser 2.2. > Everything works fine with UDP. When I swap to TCP, the first message > is Ok, but next messages start with <14> and they do not separate, > each message on new line.
If I understand you correctly (and the samples seem to backup that view), LogParser is broken. They need to fix their TCP framing. The can use either NL after each message (industry standard) or octet-count based framing as described in RFC5425. Rainer > > Let me show you some examples: > > UDP: > > Jun 18 13:50:51 OIT03 Windows: Security 1102 8 Success Audit event The > audit log was cleared. Subject: Security ID: S-1-1-11-1111111111- > 1111111111-1111111111-1111 Account Name: Macko Domain Name: OIT03 Logon > ID: 0x465b0 > Jun 18 13:53:08 OIT03 Windows: Security 4776 16 Failure Audit event The > domain controller attempted to validate the credentials for an account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > Account: Adminuser Source Workstation: OIT03 Error Code: 0xc000006a > Jun 18 13:53:10 OIT03 Windows: Security 4776 16 Failure Audit event The > domain controller attempted to validate the credentials for an account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > Account: Adminuser Source Workstation: OIT03 Error Code: 0xc000006a > > TCP: > > Jun 18 13:50:51 OIT03 Windows: Security 1102 8 Success Audit event The > audit log was cleared. Subject: Security ID: S-1-1-11-1111111111- > 1111111111-1111111111-1111 Account Name: Macko Domain Name: OIT03 Logon > ID: 0x465b0 <14>Jun 18 13:53:08 OIT03 Windows:Security 4776 16 Failure > Audit event The domain controller attempted to validate the > credentials for an account. Authentication Package: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source > Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:10 OIT03 > Windows:Security 4776 16 Failure Audit event The domain controller > attempted to validate the credentials for an account. Authentication > Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser > Source Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:13 > OIT03 Windows:Security 4776 16 Failure Audit event The domain > controller attempted to validate the credentials for an account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Log on > Account: Adminuser Source Workstation: OIT03 Error Code: 0xc000006a > <14>Jun 18 13:53:28 OIT03 Windows:Security ... > > TCP IN DEBBUG MODE: > > 3037.255100375:imtcp.c: error: message received is larger than max msg > size, we split it > 3037.255470975:imtcp.c: logmsg: flags 0, from '10.10.1.51', msg Jun 18 > 13:50:51 OIT03 Windows:Security 1102 8 Success Audit event The audit > log was cleared. Subject: Security ID: S-1-1-11-1111111111-1111111111- > 1111111111-1111 Account Name: Macko Domain Name: OIT03 Logon ID: > 0x465b0 <14>Jun 18 13:53:08 OIT03 Windows:Security 4776 16 Failure > Audit event The domain controller attempted to validate the credentials > for an account. Authentication Package: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser Source > Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:10 OIT03 > Windows:Security 4776 16 Failure Audit event The domain controller > attempted to validate the credentials for an account. Authentication > Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Adminuser > Source Workstation: OIT03 Error Code: 0xc000006a <14>Jun 18 13:53:13 > OIT03 Windows:Security 4776 16 Failure Audit event The domain > controller attempted to validate the credentials for an account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGeE°řą´śTŰ`ű(˛´ś: > `ű(˛´śÎW8ÚĐ > `űa8x˛´śf > xŃŃPŰPŰXë8ÚŔâł´ś |đŇc¸˛´śŢĎďxŃŃ8 > ŃÉ´|đřÓ´śůäďł´śô˛´śł´ł´śř˛´śł´śł´ś°Ň<14>Jun 18 13:50:51 OIT03 > Windows:Security ... > _________________________________________________________________ > Hotmail: Free, trusted and rich email service. > https://signup.live.com/signup.aspx?id=60969 > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
