Last post Jun 23, 2005 11:39 AM by Anonymous
May 20, 2005 04:58 PM|LINK
I have the following information
Source servername: xyz123
Eventlog Filtering facility: -local6
Target syslogserver: ABC123 Port:514
Target Filename: windows.log
How I can retrieve the last 15 minutes data from the source server's security eventlog for the facility:local6 and send it to the syslog server?
I tried different option in logparser with and without config file. Nothing did a trick.
Somebody please show me the trick.
SYSLOG output target
May 23, 2005 12:26 PM|LINK
Windows does not have a concept of facility, that's a Syslog-, Unix-only concept.
You need to come up with your own mapping that decides in which instances an event has a 'local6' facility. Once you decide that, then you can use one of the examples shown in the help file.
As a side note, the following WHERE clause, when added to a query, will make it retrieve the last 15 minutes worth of logs:
WHERE TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:00', 'hh:mm:ss'))
Jun 02, 2005 11:19 AM|LINK
I like to know sample command line to dump the entire security log on to a SYSLOG server
Jun 06, 2005 09:23 PM|LINK
From the documentation:
WHEN 'EventLog' THEN 'mark'
WHEN 'Service Control Manager' THEN 'daemon'
WHEN 'Print' THEN 'lpr'
WHEN 'Kerberos' THEN 'auth'
WHEN 'NETLOGON' THEN 'logaudit'
WHEN 'Application Popup' THEN 'local7'
END AS MyFacility,
WHEN 'Error event' THEN 'err'
WHEN 'Warning event' THEN 'warning'
WHEN 'Information event' THEN 'info'
END AS MySeverity,
Jun 08, 2005 04:32 PM|LINK
Jun 22, 2005 09:48 AM|LINK
This is what I did
1. Create folder C:\DRV\LogParser
2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser
3 Created C:\DRV\LogParser\QUERY.SQL with the following statement
SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND
TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))
4. Created C:\DRV\LogParser\Syslogparser.bat
with the following statement
LogParser.exe file:Query.sql -o:SYSLOG -facility:local6
5. Scheduled the C:\DRV\LogParser\Syslogparser.bat
to be executed every 15 minutes.
6. Repeat step 1 to 5 on all the servers.
Note: @xxx.yyy.jjj.com:514 should be your syslogserver and port address.
Thanks for your help.
Jun 23, 2005 11:39 AM|LINK
Mak, thanks a lot for posting the very first application of LogParser's SYSLOG output format!
Jun 23, 2005 01:04 PM|LINK