We are using IBM wincollect. Is nxlog opensource. Here is a raw message I write in a file using rsyslog.
Sep 10 11:26:41 192.168.6.197 AgentDevice=WindowsLog# 011AgentLogFile=Security#011PluginVersion=7.2.2.959003# 011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G# 011OriginatingComputer=#011User=#011Domain=#011EventID=5156# 011EventIDCode=5156#011EventType=8#011EventCategory=12810# 011RecordNumber=622562#011TimeGenerated=1441866149# 011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume2\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 Destination Address: 192.168.6.109 Destination Port: 50215 Protocol: 17 Filter Information: Filter Run-Time ID: 66094 Layer Name: Receive/Accept Layer Run-Time ID: 44 On Thu, Sep 10, 2015 at 3:17 PM, David Lang <[email protected]> wrote: > On Thu, 10 Sep 2015, Muhammad Asif wrote: > > Hi David, >> >> Thanks for being so prompt helper and guider. We can not enforce windows >> server 2012 to send logs in specific format. >> But we solve the issue by using the following template. >> >> $template msgonly,"%rawmsg%\n" >> >> >> What else solution can be? >> > > well, I don't know what your rawmsg looks like, so I can't say what's > wrong with it, but you probably should do something more than just send the > rawmsg on. > > what software are you using on the windows 2012 servers to send the logs? > Microsoft doesn't include any software to do so that I am aware of. > > David Lang > > > >> Thanks >> >> On Thu, Sep 10, 2015 at 12:08 PM, David Lang <[email protected]> wrote: >> >> On Thu, 10 Sep 2015, Muhammad Asif wrote: >>> >>> Hi Geeks, >>> >>>> >>>> We are using tcp protocol for sending logs from rsyslog to fluentd on >>>> same >>>> system. We also test tcp to send logs to other system on tcp. >>>> But problem is that rsyslog dont' send log complete. >>>> >>>> On Sending server >>>> >>>> *.* action(type="omfwd" target="192.168.6.193" port="514" >>>> protocol="tcp" >>>> queue.filename="forwarding" queue.size="1000000 queue.maxdiskspace="5g" >>>> queue.highwatermark="900000" queue.lowwatermark= "200000" >>>> queue.type="LinkedList" ) >>>> >>>> >>>> On receiving server >>>> >>>> if ($fromhost-ip == '192.168.6.192') then /var/log/dccc.log >>>> & ~ >>>> >>>> But incomplete message is received. >>>> >>>> Sent Message >>>> >>>> Sep 10 11:26:41 192.168.6.197 >>>> >>>> >>>> AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The >>>> Windows Filtering Platform has permitted a connection. Application >>>> Information: Process ID: 912 Application Name: >>>> \device\harddiskvolume2\windows\system32\svchost.exe Network >>>> Information: >>>> Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 >>>> Destination Address: 192.168.6.109 Destination Port: 50215 Protocol: >>>> 17 Filter Information: Filter Run-Time ID: 66094 Layer Name: >>>> Receive/Accept Layer Run-Time ID: 44 >>>> >>>> >>>> >>>> Received Message >>>> >>>> Sep 10 11:26:41 192.168.6.197 AgentDevice=WindowsLog#011AgentL Windows >>>> Filtering Platform has permitted a connection. Application Information: >>>> Process ID: 912 Application Name: >>>> \device\harddiskvolume2\windows\system32\svchost.exe Network >>>> Information: >>>> Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 >>>> Destination Address: 192.168.6.109 Destination Port: 50215 Protocol: >>>> 17 Filter Information: Filter Run-Time ID: 66094 Layer Name: >>>> Receive/Accept Layer Run-Time ID: 44 >>>> >>>> >>> The problem is that your sent mesasge is malformed. After the hostname/IP >>> address, you are supposed to have the programname[with optional pid]: >>> that >>> is limtied by teh spec to 32 characters. >>> >>> instead you have >>> >>> >>> >>> AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The >>> >>> which is a LOT longer than 32 characters. >>> >>> whatever it is that you have slurping up the logs from windows and >>> sending >>> them to rsyslog in the first place needs to be fixed. >>> >>> David Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
