System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

moving syslog error mesaage to a windows box

 
Highlighted
Trng
Super Advisor

moving syslog error mesaage to a windows box

Hi All,

i have 10 HPUX servers .audit team has told me to forward syslog messages to a windows box going forward as part of audit tpuposes ...

anyone done this before ? ..i am aware about syslog.conf configuration from unix side ..what needs to be done on windows box to accept the log from unix box and keep it in a place ..


1-pls help me what setting needs to be done on unix BOX(HPUX 11.23)
2-what setting needs to be done on firewall?
3-what setting needs to be done on windows box (how to set the location of the log files to kept)

Rgds,trng

Regards,suresh
administrator
15 REPLIES 15

Re: moving syslog error mesaage to a windows box

So windows doesn't (to my knowledge) have a built in syslog daemon of any kind (Windows event logs are entirely different)

So the first question to ask your audit people is what syslog software do they want you to run on the windows system? And (possibly) who is going to pay for it?

HTH

Duncan

Accept or Kudo
Trng
Super Advisor

Re: moving syslog error mesaage to a windows box

Hi ,

As I mentioned. I need to move syslog errors to another server having enough space.how to do? .
administrator
Bob_Vance
Esteemed Contributor

Re: moving syslog error mesaage to a windows box

If you just want to copy the current syslog, assuming that you have SSH installed on the Unix box, you can use PuTTY (with PSCP) or WinSCP (both free) on the Windows box to copy files from the Unix box.

Duncan was referring to configuring syslogd on the Unix box to send the syslog messages, as they occur, dynamically over to the Windows box. For that, you need a syslog *server* on Windows and must configure the syslogd on the Unix to send them there.



bv
"The lyf so short, the craft so long to lerne." - Chaucer
Bill Hassell
Honored Contributor

Re: moving syslog error mesaage to a windows box

It seems that you have two problems:

1. The auditors want syslog archived and not truncated, and

2. You are running out of space for local syslog.

It may be more helpful to analyze what is filling syslog. You may find that most of it is not useful and can be diverted. The syslog.conf file has to ability to parse messages into different file. Here is a syslog.conf file that separates auth, ftp, ems, kern, lpr and daemon messages into separate files. This should reduce syslog growth considerably.

*.info;mail.none;local0.none;local1.none;local5.none;auth.none;lpr.none;daemon.notice;kern.notice /var/adm/syslog/syslog.log

mail.debug /var/adm/syslog/mail.log
local0.info /var/adm/syslog/krsd.log
local1.info /var/adm/syslog/ems.log
local5.info /var/adm/syslog/ftpd.log
auth.info /var/adm/syslog/auth.log
lpr.info /var/adm/syslog/lpr.log
daemon.info /var/adm/syslog/daemon.log
kern.info /var/adm/syslog/kern.log

*.alert console
*.alert root

*.emerg *

And one more change for ntp: Edit the xntpd start script (/etc/rc.config.d/netdaemons) to add a different log for ntp:

export XNTPD_ARGS="-l /var/adm/xntpd.log"

This will remove the ntp status messages from syslog.log.

BIG NOTE: Unlike other log files, syslog.log defines a space as a comment no matter where the space appears. Use *ONLY* tab to separate items in syslog.conf. To check your resultant file, use cat -t:

*.info;mail.none;local0.none;local1.none;local5.none;auth.none;lpr.none;daemon.notice;kern.notice^I/var/adm/syslog/syslog.log

mail.debug^I/var/adm/syslog/mail.log
local0.info^I/var/adm/syslog/krsd.log
local1.info^I/var/adm/syslog/ems.log
local5.info^I/var/adm/syslog/ftpd.log
auth.info^I/var/adm/syslog/auth.log
lpr.info^I/var/adm/syslog/lpr.log
daemon.info^I/var/adm/syslog/daemon.log
kern.info^I/var/adm/syslog/kern.log

*.alert^I^Iconsole
*.alert^I^Iroot

*.emerg^I^I*

Now you can decide how to trim or transfer the repetitive logs.


Bill Hassell, sysadmin
Trng
Super Advisor

Re: moving syslog error mesaage to a windows box

Hi All,

thanks for the nice answers,but still my requirement not met...let me explain my requirement once again ..


i want to move all access denied/access allowed entries/critical errors to another server whcih should have unix admin access .

I am sure we can do this by implimenting a syslog server unfortunately i dont know how to do it ...is it possible to configure syslog server on windows server which can accept unix syslog ?..


rgds,suresh

administrator
Bill Hassell
Honored Contributor

Re: moving syslog error mesaage to a windows box

There is no support for syslog monitoring in standard Windows. Try:

www.syslog.org

A Google search will find several free and priced products that will probably work. AS far as sending just the authentication information, you can use my syslog.conf example above where auth.info is sent to a server. In fact, you can log to the auth.log locally and also send the same info to a syslog server:

auth.info /var/adm/syslog/auth.log
auth.info @my_SYSLOG_server.com


Bill Hassell, sysadmin
Trng
Super Advisor

Re: moving syslog error mesaage to a windows box

Hi Bill,

i have configured /etc/syslog.conf as below (10.83.97.30 is windows )

*.info;mail.none;auth.notice @10.83.97.30
*.notice @10.83.97.30
*.warning @10.83.97.30
*.err @10.83.97.30
*.crit @10.83.97.30
*.alert @10.83.97.30
*.emerg @10.83.97.30


and i have restarted syslogd and tried logger warning from unix box ,but in windows i couldnt find any log coming from my unix box ....

rgds,trng
administrator

Re: moving syslog error mesaage to a windows box

So its not clear from your description that you actually installed anything on the windows system?

As you've been told already there is _no_ syslog server on a Windows system by default. You need to install one

There are a few out there though, such as the Kiwi syslog server:

http://www.kiwisyslog.com/kiwi-syslog-server-compare-versions/

or syslog-ng (although you also have to install cygwin on the windows system to use it):

http://www.syslog.org/logged/running-syslog-ng-on-windows/

HTH

Duncan

Accept or Kudo
Bill Hassell
Honored Contributor

Re: moving syslog error mesaage to a windows box

> and i have restarted syslogd and tried logger warning from unix box ,but in windows i couldnt find any log coming from my unix box ...

Did you look at the log directory provided by the special syslog program you installed on your Windows box?

> *.info;mail.none;auth.notice @10.83.97.30
> *.notice @10.83.97.30
> *.warning @10.83.97.30
> *.err @10.83.97.30
> *.crit @10.83.97.30
> *.alert @10.83.97.30
> *.emerg @10.83.97.30

This isn't the correct syntax. The first line will log every information message (and higher) for every facility, but will exclude all mail messages and log auth messages from notice level on up. In other words, notice includes warning,err,crit,alert and emerg.

So assuming that you want every message at the info level and higher, this is all you need:

*.info;mail.none @10.83.97.30

If you want to ignore auth.info but log auth.notice and hifher, then the first line you have will work fine:

*.info;mail.none;auth.notice @10.83.97.30

But NONE OF THIS WILL WORK until you install and configure a special syslog program on your PC. Also, there can be *NO* spaces on any line is syslog.conf except for coment lines. Use tabs to separate items on the line.


Bill Hassell, sysadmin