Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setup Syslogd to recieve Windows Event Logs

Status
Not open for further replies.
bran2235

bran2235

IS-IT--Management
Feb 13, 2002
703
US
Hello Everyone,

I am a Windows admin and I have a new CentOS 5 box running the syslog service... On another box running Windows server 2003, I am using NTsyslog Service so I can send Event Log messages to the CentOS box... (HELP!!)

Ok, so me being new to Linux, I have discovered that there is little info out there on the web that explains how to do this...

This is what I have done so far:
WINDOWS BOX:
I have installed the NTsyslog Service and configured it to point to the IP of the CentOS server

CentOS Server:
This is where I need instructions... (please!) Does anyone know how to do this... I've heard that it's pretty easy to do... just need some help~

Many Thanks~
Brandon
 
Sort by date Sort by votes
You could start with the man syslogd manual page. You may need to turn on the -n option to accept traffic from remote hosts, and also make some adjustments to the rules in /etc/syslog.conf to ensure the messages are logged to an appropriate location.

Annihilannic.
 
Upvote 0 Downvote
ok, thanks...
Now, Would you mind taking a look?

File: /etc/sysconfig/syslog
-------------------------------
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
SYSLOGD_OPTIONS="-r"
----------------------------------------

AND

File: /etc/syslog.conf
----------------------------------------

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.non -/var/log/syslog
cron.* /var/log/cron.log

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
----------------------------------------------------


AM I MISSING ANYTHING? What other files do I need to configure?


Many Thanks!!
Brandon


 
Upvote 0 Downvote
By adding a second SYSLOGD_OPTIONS entry you are overriding the previous one; are you sure you don't just want to add -r after the -m 0 on the existing entry?

Have you restarted syslogd to pick up the change?

If you are seeing no messages, you could add a temporary entry to the end of /etc/syslog.conf such as:

[tt]*.debug /tmp/syslog.debug[/tt]

Then touch /tmp/syslog.debug to create the file (syslogd will not write to it unless it exists already), and pkill -HUP syslogd to make it re-read the /etc/syslog.conf file.

Note that this will record a high volume of messages so you should reverse the change once you establish whether you are receiving any messages at all from the Windows host. Are you sure it's actually sending messages by the way; i.e. can you trigger them somehow?

Annihilannic.
 
Upvote 0 Downvote
OK GREAT! Messages being sent!!
Question:

It appears as if the 'auth.log' is my Windows Security Event Log. Is this correct?

Where would my Windows APPLICAION and SYSTEM logs be in CentOS?

MANY MANY THANKS!!! :)
Brandon
 
Upvote 0 Downvote
I have no idea, that's entirely at the discretion of the Windows implemention of logging. It's the logger's responsibility to choose the "facility" and "level" of each logged message. "auth" sounds like a sensible choice for the facility of security related messages.

Annihilannic.
 
Upvote 0 Downvote
ok, so this being the first time using Linux, I don't understand. I am using NTsyslog on my windows server (just an FYI)...

I haven't configured anything- it appears as if the only messages I am getting from my Windows server are ones from my Windows Security Log <= They are going to the Auth.log.

My question is really "If my Windows Security Logs are going to the Linux AUTH.LOG, then where would ...say, my Windows Application and Windows System Logs be going?
--Are there other log files I should be looking at on CentOS?
--They are configured to be sent... I just don't know where on the Linux box to look! :)

THANK YOU!!
Brandon

Oh, also is ther a better (free) program I can use rather than PUTTY?
 
Upvote 0 Downvote
What could be better than PuTTY? :) It's my personal choice of terminal emulator, are you having problems with it?

The rules in /etc/syslog.conf define where messages are sent for specific facility and level combinations. If you set up the debugging rule I suggested, that will capture ALL messages that are received by syslogd to the specified file.

I suggest you look for some documentation on NTsyslog to see how it allocates facility/levels for the different types of Windows messages.

Annihilannic.
 
Upvote 0 Downvote
ok-
in order to view my logs via PUTTY, I have to use nano /var/log/auth.log - Is this the correct way?

Is there any other way to parse the auth.log file? Is there a (free) gui pgm. that will help?? :)

THANK YOU!!!
Brandon
 
Upvote 0 Downvote
For a Windows guy, nano is probably a good choice (I have never used it). Otherwise you can copy the log to a Windows machine and use an editor that's capable of reading Unix text files, which have different line terminators. Or you could run an X server on your Windows box and run a GUI editor from Linux, but I think that's getting pretty complicated for a simple task.

Other command-line alternatives for reading rather than editing files are more, less and pg. Also useful is tail to just look at the end of the file.

No matter what terminal emulator you use, nano is going to look and behave pretty much the same.

Annihilannic.
 
Upvote 0 Downvote
Thank you for all your help!! Most helpful!!

-Brandon
 
Upvote 0 Downvote
Geirendre-

Thanks- Believe it or not, the two links you provided are the only sites I have been able ot find. They are the sites I used to learn how to configure the Syslogd service...!!

Anyone have other resources?


Many Thanks!
Brandon
 
Upvote 0 Downvote
Well, isn't that typical huh ;-)

One reason for your problem in finding good syslog guides, can be
that there's a new one called syslog-ng (Next generation)
with added functionality out now.
I only run Syslog in one location, and there I use the newer syslog-ng.
You might consider checking it out if you havn't done so already.
Syslog-ng can log to a SQL database and you can then use a PHP-driven
web-frontend to view the loggs.
here's the demo-site:

Here are some of the links I have gattered:

Not sure if this works but...

Hopefully some of this can be of help to you.

:)
 
Upvote 0 Downvote
Hello everyone!
Quick Question:

I am using putty to read my events as the syslog gets them from my windows servers....

Problem: The TIME on the log is an hour off??!! I checked the LINUX box and the time is set correctly... The server for which the log is sent from is correct as well... any ideas??

Many thanks!
Brandon
 
Upvote 0 Downvote
AFAIK syslog does not have options for time and timezone adjustment.
(syslog-ng does)

So this probably must come from the syslog-client on the server.
Could it be that the client uses the BIOS-clock or UTC time
as a timestamp on the messages?
Have you tried to send syslog-messages from another server
to see if the problem is uniq to the server?

HTH
 
Upvote 0 Downvote
Figured it out... it turns out that it's not the syslog server (LINUX) at all... At first I was comparing the timesstamp from my syslog server to the 'logon times' from my Citrix management Console... It turns out that my Citrix Mgmt Console is wrong, not the Syslog server. It has to do with the version of java!! Who would have thought!!

Thanks anyways!
Brandon
 
Upvote 0 Downvote
QUESTION:

How do I reset the password for root?


THANKS!!
Brandon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
376
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
178
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
239
spamjim
spamjim
montyzummer
  • Locked
  • Question
Backup Linux DIR to windows via NFS
Replies
4
Views
291
kjv1611
kjv1611
bazil2
  • Locked
  • Question
Unable to mount Windows share due to error: can't read superblock - any ideas?
Replies
1
Views
386
RhythmAce
RhythmAce

Part and Inventory Search

Sponsor

Back
Top