PhpLogCon Configure With RSyslog And EventReporter

From rsyslog wiki
Jump to: navigation, search

How to configure RSyslog and EventReporter to view Windows Eventlogs properly in LogAnalyzer

This FAQ article gives you the basics hints needed to get these three components working together.

Configure RSyslog

In order to support all properties in LogAnalyzer, you will have to emulate the syslog format output which is generated by Adiscon WinSyslog. To do so add this template into your rsyslog.conf:

  $template WinSyslogFmt,"%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339% %timegenerated:12:19:date-rfc3339%,%HOSTNAME%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"

Configure EventReporter

In EventReporter you will need to specify a certain format in your Forward Syslog Action, make sure the option "Add Syslog Source when forwarding to other Syslog servers" is 'DISABLED', and configure this message format:

  %id%,%user%,%sourceproc%,%NTEventLogType%,%severity%,%category%,%msg%%$CRLF%

Configure LogAnalyzer

I am assuming the following, LogAnalyzer is proberly installed already. The received syslog messages are stored in a flat logfile by RSyslog. If you are using the LogAnalyzer UserDB System, you can easily add a new logstream souce in the Admin Center. It is important to select "winsyslog" as 'LogLineType' and "eventlog" in the 'MsgParserList' field. If you are not using the UserDB System, you can modify or add a new logstream source in your config.php, here is a sample how this should look like:

  $CFG['Sources']['Source1']['ID'] = 'Source1';
  $CFG['Sources']['Source1']['Name'] = 'EventReporter';
  $CFG['Sources']['Source1']['ViewID'] = 'EVTRPT';
  $CFG['Sources']['Source1']['SourceType'] = SOURCE_DISK;
  $CFG['Sources']['Source1']['MsgParserList'] = "eventlog";
  $CFG['Sources']['Source1']['LogLineType'] = 'winsyslog';
  $CFG['Sources']['Source1']['DiskFile'] = '/var/log/windowslogs.log';

Done

Start EventReporter and verify the format logged in "/var/log/windowslogs.log" for example, it should produce loglines like this:

  2008-09-03 09:35:15,2008-09-03 09:35:07,FMINT2,16,6,EvntSLog: 108,N\A,AdisconMonitoreWareAgent,Application,[INF],0,The service was stopped.
  2008-09-03 09:35:15,2008-09-03 09:35:15,FMINT2,16,6,EvntSLog: 118,N\A,AdisconMonitoreWareAgent,Application,[INF],0,MonitorWare Agent is running in registered mode (licensed for 10 workstations and 10 servers).

If you are receiving different results in the format, the EventLog fields will proberly not be resolved correctly in LogAnalyzer.


Back to phpLogCon