We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

SYSLog output [Answered]RSS

7 replies

Last post Jun 23, 2005 07:39 AM by Anonymous

  • SYSLog output

    May 20, 2005 12:58 PM|Anonymous|LINK

    I have the following information

    Source servername: xyz123

    Eventlog :Security

    Eventlog Filtering facility: -local6

    Target syslogserver: ABC123 Port:514

    Target Filename: windows.log

    How I can retrieve the last 15 minutes data from the source server's security eventlog for the facility:local6 and send it to the syslog server?

    I tried different option in logparser with and without config file. Nothing did a trick.

    Somebody please show me the trick.

    SYSLOG output target

  • Re: SYSLog output

    May 23, 2005 08:26 AM|Anonymous|LINK

    Windows does not have a concept of facility, that's a Syslog-, Unix-only concept.

    You need to come up with your own mapping that decides in which instances an event has a 'local6' facility. Once you decide that, then you can use one of the examples shown in the help file.

    As a side note, the following WHERE clause, when added to a query, will make it retrieve the last 15 minutes worth of logs:

    WHERE TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:00', 'hh:mm:ss'))

    SYSLOG output target

  • Re: SYSLog output

    Jun 02, 2005 07:19 AM|Anonymous|LINK

    I like to know sample command line to dump the entire security log on to a SYSLOG server


    SYSLOG output target

  • Re: SYSLog output

    Jun 06, 2005 05:23 PM|Anonymous|LINK

    From the documentation:

    SELECT TimeGenerated,
           CASE SourceName
             WHEN 'EventLog' THEN 'mark'
             WHEN 'Service Control Manager' THEN 'daemon'
             WHEN 'Print' THEN 'lpr'
             WHEN 'Kerberos' THEN 'auth'
             WHEN 'NETLOGON' THEN 'logaudit'
             WHEN 'Application Popup' THEN 'local7'
             ELSE 'local0'
           END AS MyFacility,
           CASE EventTypeName
             WHEN 'Error event' THEN 'err'
             WHEN 'Warning event' THEN 'warning'
             WHEN 'Information event' THEN 'info'
             ELSE 'info'
           END AS MySeverity,
           STRCAT(SourceName, ':'),
    FROM System

    SYSLOG output target

  • Re: SYSLog output

    Jun 08, 2005 12:32 PM|Anonymous|LINK

    Thank you very much.

    SYSLOG output target

  • Re: SYSLog output

    Jun 22, 2005 05:48 AM|Anonymous|LINK

    This is what I did

    1. Create folder C:\DRV\LogParser

    2. Copy LogParser.dll and LogParser.exe to C:\DRV\LogParser

    3 Created C:\DRV\LogParser\QUERY.SQL with the following statement

    SELECT TimeGenerated as TimeStamp,ComputerName as Host,EventID as Tag,EventCategory as Facility,EventType as Severity,Message as Message INTO @xxx.yyy.jjj.com:514 FROM Security where TRIM(EventTypeName) ='Failure Audit event' AND TimeGenerated >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('00:15:30, 'hh:mm:ss'))

    4. Created C:\DRV\LogParser\Syslogparser.bat with the following statement

    LogParser.exe file:Query.sql -o:SYSLOG -facility:local6

    5. Scheduled the C:\DRV\LogParser\Syslogparser.bat to be executed every 15 minutes.

    6. Repeat step 1 to 5 on all the servers.

    Note: @xxx.yyy.jjj.com:514  should be your syslogserver and port address.



    Thanks for your help.

    SYSLOG output target

  • Re: SYSLog output

    Jun 23, 2005 07:39 AM|Anonymous|LINK


    Mak, thanks a lot for posting the very first application of LogParser's SYSLOG output format!

    SYSLOG output target

  • Re: SYSLog output

    Jun 23, 2005 09:04 AM|Anonymous|LINK

    No Worries. Just sharing my ignorance and experience.

    SYSLOG output target