我在使用syslog-ng Agent for Windows v5.0.7将我的Windows服务器记录到安装了Syslog-ng PE v5.0的主Syslog服务器时出现问题。
代理的日志以多线形状行走,见下文。 有人有过类似的问题吗?是否有配置选项,以便日志进入一行?或者一些重写配置?
我感谢你们所有人
Windows的配置在syslog服务器的syslog.conf和多个日志中记录:
filter f_syslog_win_exc { host("(11.22.33.44)"); };
destination d_syslog_win_exc { file("/var/nsm/windows_syslog/test/exch/$HOST-$R_YEAR$R_MONTH$R_DAY.log"); };
log { source(remote_windows); filter(f_syslog_win_exc); destination(d_syslog_win_exc); };
Jun 9 14:51:33 11.22.33.44 1084 <133>1 2015-06-09T14:51:33+02:00 win_server_2k8 Microsoft_Windows_security_auditing. 508 - [win@18372.4 EVENT_CATEGORY="User Account Management" EVENT_FACILITY="16" EVENT_ID="4725" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="210139" EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="User Account Management" EVENT_TYPE="Success Audit" EVENT_USERNAME="win_server_2k8\\syslog-user"][meta sequenceId="3" sysUpTime="14899"]
Jun 9 14:51:33 4725 Security win_server_2k8\syslog-user User Success Audit win_server_2k8 User Account Management A user account was disabled.
Jun 9 14:51:33 11.22.33.44 Subject:
Jun 9 14:51:33 11.22.33.44 Security ID: win_server_2k8\test
Jun 9 14:51:33 11.22.33.44 Account Name: test
Jun 9 14:51:33 11.22.33.44 Account Domain: win_server_2k8 210139 A user account was disabled.
Jun 9 14:51:33 11.22.33.44 Subject:
Jun 9 14:51:33 11.22.33.44 Security ID: win_server_2k8\test
Jun 9 14:51:33 11.22.33.44 Account Name: test
答案 0 :(得分:0)
默认情况下,syslog-ng Windows Agent使用新的RFC5424协议发送日志。接收方似乎使用传统的syslog协议。您应该在接收端使用syslog()源而不是tcp(),并且需要妥善处理多行消息。