Search results matching tag 'SYSLOG output target'

SYSLOG and newlines?

LogParser User : Quarantainenet — Thu, 10 May 2007 15:26:00 GMT

Hey all - let me kick off by saying I think Log Parser is a wonderful bit of software

However, using it I've run into a bit of an issue - allow me to sketch my situation first.
I'm parsing MS DHCP Logfiles in order to send them to a Linux box. The obvious choice to send this information with was the SYSLOG output - which works like a charm, over both UDP and TCP.
The thing is however, that sending the information over TCP caused all lines to end up in one big blob of information. Not impossible to parse, but not particularly pretty either.

Allow me to illustrate with an example (a):
-----
<14>May 10 14:17:50 Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 264 11,05/10/07,15:34:49,Renew,10.200.1.100,qcam,00031B568036,<14>May 10
14:17:50 Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 265 11,05/10/07,15:35:33,Renew,10.200.1.100,qcam,00031B568036,<14>May 10 14:17:50
Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 266 11,05/10/07,15:36:18,Renew,10.200.1.100,qcam,00031B568036,

-----

would look a lot better if it were shaped like this (b), especially to the human eye

-----
<14>May 10 14:17:50 Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 264 11,05/10/07,15:34:49,Renew,10.200.1.100,qcam,00031B568036,
<14>May 10 14:17:50 Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 265 11,05/10/07,15:35:33,Renew,10.200.1.100,qcam,00031B568036,
<14>May 10 14:17:50 Q2K3-AD LogParser:c:\WINDOWS\System32\dhcp\DhcpSrvLog-Thu.log 266 11,05/10/07,15:36:18,Renew,10.200.1.100,qcam,00031B568036,

-----
My current commandline looks like this:
----
LogParser "SELECT * INTO @1.2.3.4:1234 FROM c:\*.Log" -i:TEXTLINE -o:SYSLOG -iCheckpoint:checkpoints.lpc -protocol:TCP
----

My question would be as follows: is it possible to make it so that (a) gets formatted like (b) (i.e. with newlines between each parsed line)? And, if yes, how?
Alternatively, some sort of separator character would work for my purposes as well ofcourse - any pointers or solid information is most welcome!

Sysloc COM API and Protocol

LogParser User : ssnodgra — Mon, 15 May 2006 20:41:00 GMT

How do I tell logparser to use tcp for syslog output. Below is what I have been trying and it does not work.

Set SysLogOutput = CreateObject("MSUtil.LogQuery.SYSLOGOutputFormat")
SysLogOutput.protocol =TCP

' Create query text
EventQuery = "SELECT * INTO " & "@" & Trim(sls(1)) & " FROM Security, Application, System, Directory\u0020Service, DNS\u0020Server, File\u0020Replication\u0020Service"

' Execute query
ParserO.ExecuteBatch EventQuery, EVTLogInput, SysLogOutput

RE: Can I use logParser to write a file with SYSlog format

LogParser User : DEinspanjer — Fri, 14 Apr 2006 19:29:00 GMT

Did you look in the help file?

Can I use logParser to write a file with SYSlog format

LogParser User : andoni — Thu, 13 Apr 2006 13:26:00 GMT

I am not sure if I can achive that but can I use logparser to collect Security logs but instead of sending the logs to a LogSysserver save the output as a file in Syslog format?

Issam

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : montm — Tue, 07 Mar 2006 14:06:00 GMT

Daniel,

IO. This is great !! Much cleaner... and works.

TY TY TY

Regards,

Mont

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : DEinspanjer — Mon, 06 Mar 2006 15:59:00 GMT

That was exactly what I needed.

The ultimate issue here is that LogParser's Timestamp data type has no support for timezone identifiers or offsets. Something I sincerely think should be fixed in the next version.

The -i:W3C format example shows that it recognizes the Date and Time fields as Timestamp fields, but apparently the format that is being used for your log files isn't understood so they are coming in as regular strings. This means that you do have to do some string processing. :/

Here is my attempt at making the transformation to localtime timestamps as concise and simple as possible. HTH

SELECT
      DateTime
    , [Origination Time]
USING
      TO_TIMESTAMP(date, 'yyyy-M-d') AS RealDate
    , TO_TIMESTAMP(time, 'h:m:s G\MT') AS RealTime
    , TO_LOCALTIME(TO_TIMESTAMP(RealDate,RealTime)) as DateTime
    , TO_LOCALTIME(TO_TIMESTAMP([Origination-time], 'yyyy-M-d h:m:s G\MT')) as [Origination Time]
FROM message.log

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : montm — Mon, 06 Mar 2006 01:05:00 GMT

Daniel,

Thanks for engaging. Here's a bit of the file... Am hoping I have not mangled the format in presenting/anoymizing this scrap.

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : DEinspanjer — Mon, 06 Mar 2006 00:53:00 GMT

Could you give me an excerpt of your log file that I could play around with? I don't have any w3c files so it hampers my ability to test ideas.

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : montm — Sun, 05 Mar 2006 21:52:00 GMT

Daniel,

Thanks for the reply. I tried what you suggest and I got nulls for the datetime. Perhaps I am not picking up on something I should be assuming. I am trying to transform the 2 GMT timestamps in the message tracking logs to UTC formatted localtime ( i.e. 2006-03-04 17:44:40 ). I do wonder if there is not a much simpler way of getting there. That being said, I know I am close. I realized after my initial post that I could simply change the expression from TO_TIME to TO_DATE to get the date and vice versa. From there I tried to concatenate the 2, but that would seem to require string formatting (?). I was able to reduce both to string format. So from here it would seem a small step to STRCAT the 2. Been at it for an hour or so and no joy.

Here's the date piece:

logparser "SELECT TO_STRING (TO_DATE( TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) ),'yyyy-MM-dd hh:mm:ss') as DateTime, TO_Timestamp(REPLACE_STR([Origination-time], ' GMT',''),'yyyy-M-d h:m:s') as [Origination Time] from D:\MEX_LOG\TITAN.LOG\20060305.log" -i:w3c

... and the time piece:

logparser "SELECT TO_STRING (TO_TIME( TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) ),'yyyy-MM-dd hh:mm:ss') as DateTime, TO_Timestamp(REPLACE_STR([Origination-time], ' GMT',''),'yyyy-M-d h:m:s') as [Origination Time] from D:\MEX_LOG\TITAN.LOG\20060305.log" -i:w3c

RE: Exchange Message Tracking to Syslog - Can it be done?

LogParser User : DEinspanjer — Sun, 05 Mar 2006 14:27:00 GMT

The TO_TIME function strips the date off of DateTime.

Also I would think the date and time fields of W3C shouldn't require any string manipulation..
Instead of this:
TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) as DateTime

You should be able to do just this:
TO_LOCALTIME( TO_TIMESTAMP(date,time) ) AS DateTime