Windows events to syslog

Posted: 21st September 2012 by marcel in Serveradministration
Tags: , , ,

Als Basis nehme ich ein solches Konstrukt:

http://lab4.org/wiki/Rsyslog_mit_MySQL_als_zentraler_Logserver
http://itmanager.blogs.com/notes/2012/05/setting-up-a-loganalyzersyslog-server.html

Ich erstelle mir allerdings mehrere Tabellen und filtere in der rsyslog.conf entsprechend nach IPs oder Ranges oder Namen. Siehe dazu http://www.rsyslog.com/doc/rsyslog_conf_filter.html. Z.B.

$template Server,"insert into Server (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL

if \
$fromhost-ip startswith '192\.168\.' or \
$fromhost-ip startswith '10\.2\.10\.' \
then :ommysql:localhost,DATENBANK,USER,PASSWORD;Server

Auf den WindowsServern kann man sich dieses kleine Tool installieren:
http://code.google.com/p/eventlog-to-syslog/downloads/list

Die Optionen sind ziemlich eindeutig:

C:\WINDOWS\system32>evtsys.exe /?
Version: 4.4 (32-bit)
Usage: evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]
       [-t tag] [-s minutes] [-l level] [-n]
  -i           Install service
  -u           Uninstall service
  -d           Debug: run as console program
  -h host      Name of log host
  -b host      Name of secondary log host
  -f facility  Facility level of syslog message
  -l level     Minimum level to send to syslog.
               0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info
  -n           Include only those events specified in the config file.
  -p port      Port number of syslogd
  -q bool      Query the Dhcp server to obtain the syslog/port to log to
               (0/1 = disable/enable)
  -t tag       Include tag as program field in syslog message.
  -s minutes   Optional interval between status messages. 0 = Disabled

Default port: 514
Default facility: daemon
Default status interval: 0
Host (-h) required if installing.
Command did not complete due to a failure

Der Dienst muss dann noch unter „Verwaltung“ gestartet werden und dann gehts los!

edit: Es empfiehlt sich, die Windows Server nicht mit Facility local7 loggen zu lassen. Der Standardeintrag in der rsyslog.conf

local7.*                                                /var/log/boot.log

müllt dadurch die boot.log gut voll.