I have a problem with logging my Windows server by syslog-ng Agent for Windows v5.0.7 to my Main Syslog server with installed Syslog-ng PE v5.0.
Logs from the agent walks in a multiline shape, see below. Has anyone had a similar problem? Is there a configuration option, so that the logs went in one line? Or some rewrite configuration?
I thank you all
Configuration for Windows logs in syslog.conf at syslog server and multiple log:
filter f_syslog_win_exc { host("(11.22.33.44)"); };
destination d_syslog_win_exc { file("/var/nsm/windows_syslog/test/exch/$HOST-$R_YEAR$R_MONTH$R_DAY.log"); };
log { source(remote_windows); filter(f_syslog_win_exc); destination(d_syslog_win_exc); };
Jun 9 14:51:33 11.22.33.44 1084 <133>1 2015-06-09T14:51:33+02:00 win_server_2k8 Microsoft_Windows_security_auditing. 508 - [[email protected] EVENT_CATEGORY="User Account Management" EVENT_FACILITY="16" EVENT_ID="4725" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="210139" EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="User Account Management" EVENT_TYPE="Success Audit" EVENT_USERNAME="win_server_2k8\\syslog-user"][meta sequenceId="3" sysUpTime="14899"]
Jun 9 14:51:33 4725 Security win_server_2k8\syslog-user User Success Audit win_server_2k8 User Account Management A user account was disabled.
Jun 9 14:51:33 11.22.33.44 Subject:
Jun 9 14:51:33 11.22.33.44 Security ID: win_server_2k8\test
Jun 9 14:51:33 11.22.33.44 Account Name: test
Jun 9 14:51:33 11.22.33.44 Account Domain: win_server_2k8 210139 A user account was disabled.
Jun 9 14:51:33 11.22.33.44 Subject:
Jun 9 14:51:33 11.22.33.44 Security ID: win_server_2k8\test
Jun 9 14:51:33 11.22.33.44 Account Name: test
By default the syslog-ng Windows Agent sends logs using the new, RFC5424 protocol. The receiving side seems to use the legacy syslog protocol. You should use a syslog() source instead of tcp() on the receiving side, and that takes proper care of multi-line messages.