On Fri, Jun 6, 2014 at 12:50 PM, Muhammad Asif <[email protected]> wrote:
> Is rsyslog windows agent free as rsyslog server in Linux. > No, it's paid software like snare w/ tcp mode. Rainer > > > On Fri, Jun 6, 2014 at 2:48 PM, Rainer Gerhards <[email protected]> > wrote: > > > well... let me say it that way. There is a reason (actually many) why we > > provide our own agent for Windows: > > > > http://www.rsyslog.com/windows-agent/ > > > > It has the advantage to work and actually extract *all* important > > information from Windows events logs of any version ;) > > > > Rainer > > > > > > On Fri, Jun 6, 2014 at 8:43 AM, David Lang <[email protected]> wrote: > > > > > The problem is that datagram is just another way of saying UDP, and it > > > doesn't detect that the message wasn't received, so if the system > that's > > > supposed to be receiving it is down, the message just gets lost. > > > > > > David Lang > > > > > > > > > On Fri, 6 Jun 2014, senthil velan wrote: > > > > > > Hi > > >> You may use datagram syslog agent to forward messages from > > >> windows servers.It supports all version of windows.I am using this to > > >> forward messages to rsyslog server > > >> > > >> > > >> > > >> With regards, > > >> M.Senthil Velan, > > >> > > >> > > >> > > >> > > >> > > >> From: Muhammad Asif <[email protected]> > > >> To: rsyslog-users <[email protected]> > > >> Date: 05-06-14 10:11 AM > > >> Subject: [rsyslog] rsyslog snare creating problem with > > >> Sent by: [email protected] > > >> > > >> > > >> > > >> Hi Everyone! > > >> > > >> I have installed snare (open source free version ) in windows 2008 > > Server. > > >> I configured snare to send logs to rsyslog and rsyslog is writing logs > > in > > >> a > > >> file for testing. Windows server is very busy server. Problem is that > > >> rsyslog stop receiving logs from snare for couple of minutes some time > > one > > >> hour. When we restart rsyslog service it start receiving logs. Logs of > > >> windows server generated in that time are missed from rsyslog. Please > > >> guide > > >> me in this issue. > > >> > > >> ------------------------------------------------------------ > > >> ----------------------------------------------------------------- > > >> # rsyslog configuration file > > >> # note that most of this config file uses old-style format, > > >> # because it is well-known AND quite suitable for simple cases > > >> # like we have with the default config. For more advanced > > >> # things, RainerScript configuration is suggested. > > >> > > >> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html > > >> # If you experience problems, see > > >> http://www.rsyslog.com/doc/troubleshoot.html > > >> > > >> #### MODULES #### > > >> > > >> module(load="imuxsock") # provides support for local system logging > > (e.g. > > >> via logger command) > > >> module(load="imklog") # provides kernel logging support (previously > > done > > >> by rklogd) > > >> #module(load"immark") # provides --MARK-- message capability > > >> > > >> # Provides UDP syslog reception > > >> # for parameters see http://www.rsyslog.com/doc/imudp.html > > >> module(load="imudp") # needs to be done just once > > >> input(type="imudp" port="514") > > >> > > >> > > >> if ($fromhost-ip == '172.20.8.3') then /var/log/ciit_dc.log > > >> & ~ > > >> > > >> > > >> # Provides TCP syslog reception > > >> # for parameters see http://www.rsyslog.com/doc/imtcp.html > > >> module(load="imtcp") # needs to be done just once > > >> input(type="imtcp" port="514") > > >> > > >> $template msgonly,"%rawmsg%\n" > > >> #*.* @@127.0.0.1:520;msgonly > > >> module(load="omrelp") > > >> action(type="omrelp" target="127.0.0.1" port="520") > > >> > > >> > > >> module(load="impstats" interval="1800" severity="7" > > >> resetCounters="on" > > >> log.syslog="off" > > >> log.file="/var/log/stats.log") > > >> > > >> > > >> #### GLOBAL DIRECTIVES #### > > >> > > >> # Use default timestamp format > > >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > >> > > >> # File syncing capability is disabled by default. This feature is > > usually > > >> not required, > > >> # not useful and an extreme performance hit > > >> #$ActionFileEnableSync on > > >> > > >> # Include all config files in /etc/rsyslog.d/ > > >> $IncludeConfig /etc/rsyslog.d/*.conf > > >> > > >> > > >> #### RULES #### > > >> > > >> # Log all kernel messages to the console. > > >> # Logging much else clutters up the screen. > > >> #kern.* /dev/console > > >> > > >> # Log anything (except mail) of level info or higher. > > >> # Don't log private authentication messages! > > >> *.info;mail.none;authpriv.none;cron.none > > /var/log/messages > > >> > > >> # The authpriv file has restricted access. > > >> authpriv.* > /var/log/secure > > >> > > >> # Log all the mail messages in one place. > > >> mail.* > /var/log/maillog > > >> > > >> > > >> # Log cron stuff > > >> cron.* /var/log/cron > > >> > > >> # Everybody gets emergency messages > > >> *.emerg :omusrmsg:* > > >> > > >> # Save news errors of level crit and higher in a special file. > > >> uucp,news.crit > /var/log/spooler > > >> > > >> # Save boot messages also to boot.log > > >> local7.* > > /var/log/boot.log > > >> > > >> > > >> # ### begin forwarding rule ### > > >> # The statement between the begin ... end define a SINGLE forwarding > > >> # rule. They belong together, do NOT split them. If you create > multiple > > >> # forwarding rules, duplicate the whole block! > > >> # Remote Logging (we use TCP for reliable delivery) > > >> # > > >> # An on-disk queue is created for this action. If the remote host is > > >> # down, messages are spooled to disk and sent when it is up again. > > >> #$WorkDirectory /var/lib/rsyslog # where to place spool files > > >> #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > > >> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > > possible) > > >> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > > >> #$ActionQueueType LinkedList # run asynchronously > > >> #$ActionResumeRetryCount -1 # infinite retries if host is down > > >> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > > >> #*.* @@remote-host:514 > > >> # ### end of the forwarding rule ### > > >> ------------------------------------------------------------ > > >> ------------------------------------------------------------- > > >> Regards > > >> M.Asif > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > >> > > >> > > >> The information contained in this e-mail and any attachment herein is > > >> confidential and privileged, belonging to the Dhanlaxmi Bank Ltd and > is > > >> intended solely for the use of the intended recipient/addressee(s). > > >> Access, copying or re-use of the e-mail or any attachment or any > > >> information herein, by any other person is not authorized. If you are > > not > > >> the intended person/addressee(s) or have received this e-mail in > error, > > >> please return this e-mail to the sender and delete it from your > > >> computer/system. Internet communications are not guaranteed to be > > secured > > >> or virus free. Although we attempt to sweep e-mail and attachments for > > >> virus, we do not guarantee that either are virus free and accept no > > >> liability for any damage or loss as a result of virus or from > > unauthorized > > >> access/usage. Any opinion or other information in this e-mail or its > > >> attachments that does not relate to the business of the Dhanlaxmi Bank > > Ltd > > >> is personal to the sender and is not given or endorsed by the > Dhanlaxmi > > >> Bank Ltd." > > >> > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
