topic Re: forwarding Windows and syslog event logs to rsyslog in Getting Data In

forwarding Windows and syslog event logs to rsyslog

pil321 — Sun, 09 Feb 2014 21:24:51 GMT

Need to send certain Windows security and audit files to a RHEL rsyslog server. This is what I have so far (based on this😞

props.conf

[WinEventLog:security]
TRANSFORMS-routing = send_to_syslog

[Perfmon:Network Interface]
TRANSFORMS-routing = send_to_syslog

[syslog]
TRANSFORMS-routing = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server = 10.0.10.10:514
type = tcp

The logs are getting to the rsyslog server. but the format is not right for the Windows logs:

2014-02-09T16:05:32.437414-05:00 new-host-3.home Value=149.60659940915585
2014-02-09T16:05:32.440373-05:00 new-host-3.home collection="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home object="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home counter="Bytes Sent/sec"#015

I'd like to be able to send the files as raw TCP, but haven't been able to do it. I've changed the DEST_KEY in the transforms.conf to _raw, and changed my outputs.conf to [tcpout], but that doesn't seem to work.

Anyone been able to do something similar to this?

Re: forwarding Windows and syslog event logs to rsyslog

grantsales — Fri, 15 Jan 2016 21:18:44 GMT

I see this is from last year, but did you ever get this working?

Re: forwarding Windows and syslog event logs to rsyslog

Richfez — Fri, 15 Jan 2016 22:34:43 GMT

Is there a reason to have an intermediate step of converting to syslog and back again?

The direct ingestion of Windows events as forwarded by a Universal Forwarder into Splunk works fantastically well and is generally problem free. Unless you have some constraint you can't get lifted or get permission to work around, I'd normally recommend just letting the forwarder forward directly to the indexer.

Re: forwarding Windows and syslog event logs to rsyslog

Richfez — Mon, 18 Jan 2016 00:56:11 GMT

grantsales,

Sorry, I moved my comment to here - I got mixed up on dates and who did what when. 😞

The comment was directed toward you - is there a reason you need to use syslog specifically?

Re: forwarding Windows and syslog event logs to rsyslog

grantsales — Mon, 18 Jan 2016 14:54:28 GMT

I already have the splunk agent feeding the indexer, the issue I have is I also need this data somewhere else that isn't splunk. I thought I could use the existing agent to dual feed, 1 straight to splunk and 1 to my syslog server.

Doesn't seem to be working with windows events however.

Reading up in answers.splunk, I'd have to do some reformatting of the data prior to sending it off, but this would impact what splunk is getting.

Re: forwarding Windows and syslog event logs to rsyslog

Richfez — Mon, 18 Jan 2016 15:11:20 GMT

Great, a valid use case. 🙂

Lots of folks don't pay much attention to older answers and it's unlikely you'll get too much activity through this thread. I'd suggest compiling up your precise use case and what behavior you are trying to get, along with what you are actually seeing instead, and create a new post asking about that.

I'll be looking forward to that, I may be able to replicate whatever you are seeing later this week if I had a good writeup of what you are seeing.

Re: forwarding Windows and syslog event logs to rsyslog

sony_pimpale — Fri, 01 Dec 2017 13:26:27 GMT

Could you please let me know wat software has to be installed on windows to get logs (tomcat logs ) forwarded to rsyslog (linux)

Thnx

Re: forwarding Windows and syslog event logs to rsyslog

richgalloway — Fri, 01 Dec 2017 13:37:50 GMT

@sony_pimpale, You're adding on to an old question. Please post a new question describing your problem so you'll have a better chance at getting a solution.