Hey,
I´ve been getting a rather strange behaviour over the past few days and I´m
not sure where it originates from.
I´m running rsyslog 5.6.4 with MySQL and Eventlog to Syslog on my Windows
test server.
The problem:
I´m filtering out messages to get the ones with Windows Event 540 -
modifying them depending on what their contents are.
At random though, some messages get into the logs and DB twice - with 2
different filters applied.
I´m filtering with
$template Win540,"insert into SystemEvents (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag,
EventLogType, EventSource, EventId, EventUser, ProcessID) values ('%msg%',
%syslogfacility%, '%HOSTNAME%', %syslogpriority%,
'%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%,
'%programname%', 'Successful Network Logon', '%msg:F,32:50%', '540',
'%msg:F,32:9%', '%msg:F,32:14%')",sql
$template WinNT540,"insert into SystemEvents (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag,
EventLogType, EventSource, EventId, EventUser, ProcessID) values ('%msg%',
%syslogfacility%, '%HOSTNAME%', %syslogpriority%,
'%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%,
'%programname%', 'Successful Network Logon', '%msg:F,32:51%', '540',
'%msg:F,32:10%', '%msg:F,32:15%')",sql
$template WinNTano540,"insert into SystemEvents (Message, Facility,
FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag,
EventLogType, EventSource, EventId, EventUser, ProcessID) values ('%msg%',
%syslogfacility%, '%HOSTNAME%', %syslogpriority%,
'%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%,
'%programname%', 'Successful Network Logon', '%msg:F,32:51%', '540',
'ANONYMOUS', '%msg:F,32:14%')",sql
:msg, startswith, " 540: NT AUTHORITY\\SYSTEM"
>localhost,Syslog,rsyslog,password;WinNT540
& ~
:msg, startswith, " 540: NT AUTHORITY\\ANONYMOUS LOGON"
>localhost,Syslog,rsyslog,password;WinNTano540
& ~
:msg, startswith, " 540:" >localhost,Syslog,rsyslog,password;Win540
& ~
And way way later in the config I have a default template:
$template Evtsys,"insert into SystemEvents (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag,
EventLogType, EventId) values ('%msg%', %syslogfacility%, '%HOSTNAME%',
%syslogpriority%, '%timereported:::date-mysql%',
'%timegenerated:::date-mysql%', %iut%, '%programname%', 'Generic Event',
'%msg:F,58:1%')",sql
:syslogtag, contains, "Security" >localhost,Syslog,rsyslog,password;Evtsys
& ~
(All my Windows messages come with "Security" or "Security-Auditing".
As said, this works fine for 99.x% of the messages, but at random I get
things like
540: DOMAIN\USER: Successful Network Logon: User Name: USER Domain: DOMAIN
Logon ID: (0x0,0x1111111) Logon Type: 3 Logon Process: (…..) Name: Logon
GUID: {xxxxxxxxxxxxx-xxxxxx-xxxxxx-xxx} Caller User Name: - Caller Domain:
- Caller Logon ID: - Caller Process ID: - Transited Services: - Source
Network Address: <ip> Source Port: 0
into the DB twice - one formatted with Win540 and one with Evtsys.
They are 100% the same text and content wise.(and ye, there is a space
ahead of the 540) also.
Any ideas on why exactly I would see doubles?
Regards
----------------------------------------
Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht für
Zivilrechtssachen Graz, DVR 0040495
Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with a.m. sender via e-mail is only for information
purposes. This medium is not to be used for the exchange of legally-binding
communications.
----------------------------------------
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
