Windows does not have a concept of facility, that's a Syslog-, Unix-only concept.
You need to come up with your own mapping that decides in which instances an event has a 'local6' facility. Once you decide that, then you can use one of the examples shown in the help file.
As a side note, the following WHERE clause, when added to a query, will make it retrieve the last 15 minutes worth of logs:
WHERE TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:00', 'hh:mm:ss'))
SELECT TimeGenerated,
CASE SourceName
WHEN 'EventLog' THEN 'mark'
WHEN 'Service Control Manager' THEN 'daemon'
WHEN 'Print' THEN 'lpr'
WHEN 'Kerberos' THEN 'auth'
WHEN 'NETLOGON' THEN 'logaudit'
WHEN 'Application Popup' THEN 'local7'
ELSE 'local0'
END AS MyFacility,
CASE EventTypeName
WHEN 'Error event' THEN 'err'
WHEN 'Warning event' THEN 'warning'
WHEN 'Information event' THEN 'info'
ELSE 'info'
END AS MySeverity,
ComputerName,
STRCAT(SourceName, ':'),
Message
INTO @MYSERVER04
FROM System
2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser
3 Created C:\DRV\LogParser\QUERY.SQL with the following statement
SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND
TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))
4. Created C:\DRV\LogParser\Syslogparser.bat
with the following statement
Anonymous
6623 Posts
SYSLog output
May 20, 2005 04:58 PM|LINK
I have the following information
Source servername: xyz123
Eventlog :Security
Eventlog Filtering facility: -local6
Target syslogserver: ABC123 Port:514
Target Filename: windows.log
How I can retrieve the last 15 minutes data from the source server's security eventlog for the facility:local6 and send it to the syslog server?
I tried different option in logparser with and without config file. Nothing did a trick.
Somebody please show me the trick.
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
May 23, 2005 12:26 PM|LINK
Windows does not have a concept of facility, that's a Syslog-, Unix-only concept.
You need to come up with your own mapping that decides in which instances an event has a 'local6' facility. Once you decide that, then you can use one of the examples shown in the help file.
As a side note, the following WHERE clause, when added to a query, will make it retrieve the last 15 minutes worth of logs:
WHERE TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:00', 'hh:mm:ss'))
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 02, 2005 11:19 AM|LINK
I like to know sample command line to dump the entire security log on to a SYSLOG server
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 06, 2005 09:23 PM|LINK
From the documentation:
SELECT TimeGenerated,
CASE SourceName
WHEN 'EventLog' THEN 'mark'
WHEN 'Service Control Manager' THEN 'daemon'
WHEN 'Print' THEN 'lpr'
WHEN 'Kerberos' THEN 'auth'
WHEN 'NETLOGON' THEN 'logaudit'
WHEN 'Application Popup' THEN 'local7'
ELSE 'local0'
END AS MyFacility,
CASE EventTypeName
WHEN 'Error event' THEN 'err'
WHEN 'Warning event' THEN 'warning'
WHEN 'Information event' THEN 'info'
ELSE 'info'
END AS MySeverity,
ComputerName,
STRCAT(SourceName, ':'),
Message
INTO @MYSERVER04
FROM System
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 08, 2005 04:32 PM|LINK
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 22, 2005 09:48 AM|LINK
This is what I did
1. Create folder C:\DRV\LogParser
2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser
3 Created C:\DRV\LogParser\QUERY.SQL with the following statement
SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))
4. Created C:\DRV\LogParser\Syslogparser.bat with the following statement
LogParser.exe file:Query.sql -o:SYSLOG -facility:local6
5. Scheduled the C:\DRV\LogParser\Syslogparser.bat to be executed every 15 minutes.
6. Repeat step 1 to 5 on all the servers.
Note: @xxx.yyy.jjj.com:514 should be your syslogserver and port address.
Thanks for your help.
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 23, 2005 11:39 AM|LINK
Wonderful!
Mak, thanks a lot for posting the very first application of LogParser's SYSLOG output format!
SYSLOG output target
Anonymous
6623 Posts
Re: SYSLog output
Jun 23, 2005 01:04 PM|LINK
SYSLOG output target