Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: magwm on May 31, 2010, 10:45:13 AM

Title: HOWTO /RFC - logging windows events to a sme syslog facility
Post by: magwm on May 31, 2010, 10:45:13 AM

I thought I should share my thoughts on this topic. I am trying to (and partially succeeding at) logging windows (or other) events to a syslog facility on SME.

so, I am a relative newbie so I probably did a lot of things wrong.. :)


first, activating remote syslog on SME

    - create dir /etc/e-smith/templates-custom/etc/sysconfig/syslog/
    - copy here the file /etc/e-smith/templates/etc/sysconfig/syslog/10NoMARKs

    - edit it to contain:

    SYSLOGD_OPTIONS="-r -m 0"

create the desired log file:

Code: [Select]

touch /var/log/windows
in /etc/e-smith/templates/etc/syslog.conf/00filenames
add a row

Code: [Select]

$windows = "/var/log/windows";
in /etc/e-smith/templates/etc/syslog.conf/local4   (o one of the other local if they are in use already)

change

Code: [Select]

local4.*                                        -{ "${messages}" } in

Code: [Select]

local4.*                                        -{ "${windows}" }
- expand templates

Code: [Select]

expand-template /etc/sysconfig/syslog;
expand-template /etc/syslog.conf
- restart syslog

Code: [Select]

service syslog restart
to redirect (in copy) the windows logs, I used  http://code.google.com/p/eventlog-to-syslog/ (http://code.google.com/p/eventlog-to-syslog/)

copy evtsys.dll and evtsys.exe to c:\windows\system32  and execute

Code: [Select]

evtsys.exe -i -h YOURSMESERVERIP -f local4
and then

Code: [Select]

net start evtsys

so this is a RFC.. please indicate what should be changed here..

for one, there should be some log rotation on this /var/log/windows logfile, because it will fill up quickly...

ciaociao, Michel

Title: Re: HOWTO /RFC - logging windows events to a sme syslog facility
Post by: magwm on May 31, 2010, 10:49:26 AM

original message (italian)
http://forums.contribs.org/index.php/topic,45329.msg220289.html#msg220289 (http://forums.contribs.org/index.php/topic,45329.msg220289.html#msg220289)

Title: Re: HOWTO /RFC - logging windows events to a sme syslog facility
Post by: cactus on May 31, 2010, 07:27:14 PM

It would be nice if you could enter this in the wiki.

Title: Re: HOWTO /RFC - logging windows events to a sme syslog facility
Post by: magwm on May 31, 2010, 07:46:07 PM

Quote

wiki

I would love to, but I have no access to it.

edit..

plus, before doing so, I would like to know if this is the correct way of doing things.. sme-NOOB here..

Title: Re: HOWTO /RFC - logging windows events to a sme syslog facility
Post by: Stefano on May 31, 2010, 11:29:11 PM

Quote from: magwm on May 31, 2010, 07:46:07 PM

plus, before doing so, I would like to know if this is the correct way of doing things.. sme-NOOB here..

the only thing I would change is where you say

Quote

in /etc/e-smith/templates/etc/syslog.conf/local4   (o one of the other local if they are in use already)

you should copy the desired file into /etc/e-smith/templates-custom/etc/syslog.conf and modify it as you suggest.