The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

5.3.1. Eventlog sources

The syslog-ng Agent for Windows application can collect messages from the standard Windows eventlog containers, as well as from custom containers. The agent automatically forwards the messages from three standard eventlog containers (Application, Security, System). To enable or disable these sources, or to add custom eventlog containers, complete the following steps:

[Note] Note

The syslog-ng Agent for Windows sends its own log messages into the Application eventlog container.

The agent caches in the registry the ID of the last message sent to the destination server, so if the agent is not operating for a time (e.g., it is restarted ), then it starts reading messages from the last cached message ID, sending out all the new messages.

[Warning] Warning

If an eventlog container becomes corrupt, the agent will stop processing the event source. A log message (Eventlog file is corrupt) is sent directly to the logserver to notify about the error.

Procedure 5.3.1.1. Managing eventlog sources

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Eventlog Sources, and double-click on Event Containers.

    • To disable sending messages from an eventlog container, unselect the checkbox before the name of the container.

    • To modify the log facility associated with the messages of the container, select the container, click Edit, and select the log facility to use in the Log Facility field.

    • To add a custom container, select Add, and enter the name if the container into the Event Container Name field. If you do not know the name of the container, see Procedure 5.3.1.2, “Determining the name of a custom eventlog container”.

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 5.3.1.2. Determining the name of a custom eventlog container

  1. Open the Event Viewer application.

  2. Select the custom container you are looking for (e.g., DNS Server).

  3. Right click on the container and select Properties.

  4. The name of the container is the name of the file (without the extension) displayed in the Logname field (e.g., for C:\WINDOWS\system32\config\DnsEvent.Evt it is DnsEvent).

  5. Use this name as the name of the custom eventlog container during the procedure described in Procedure 5.3.1.1, “Managing eventlog sources”.

    [Note] Note

    On Windows Vista and Server 2008, some container are not real containers, but show selected messages collected from multiple containers. To forward such messages to the syslog-ng server, you have to find out which real containers are displayed in the container, and add them to the configuration of the syslog-ng Agent.

    Some containers have the %4 characters in their names. When adding these to the syslog-ng Agent, replace %4 with the / (slash) character. E.g., write microsoft-windows-bits-client/analytic instead of microsoft-windows-bits-client%4analyctic.

    If you are sending old messages to the server as well, the syslog-ng Agent will not send the very first message stored in the container. This is a bug in the Windows API.

Prev  Up  Next
5.3. Configuring message sources  Home | Contents  5.3.2. File sources and logrotation

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com