HPE Community
Operating System - HP-UX
1826771 Members
2424 Online
109702 Solutions
New Discussion

moving syslog error mesaage to a windows box

 
Trng
Super Advisor

‎05-20-2011 01:24 AM

‎05-20-2011 01:24 AM

moving syslog error mesaage to a windows box

Hi All,

i have 10 HPUX servers .audit team has told me to forward syslog messages to a windows box going forward as part of audit tpuposes ...

anyone done this before ? ..i am aware about syslog.conf configuration from unix side ..what needs to be done on windows box to accept the log from unix box and keep it in a place ..


1-pls help me what setting needs to be done on unix BOX(HPUX 11.23)
2-what setting needs to be done on firewall?
3-what setting needs to be done on windows box (how to set the location of the log files to kept)

Rgds,trng

Regards,suresh
administrator
0 Kudos
Reply
15 REPLIES 15
Duncan Edmonstone
HPE Pro

‎05-20-2011 02:24 AM

‎05-20-2011 02:24 AM

Re: moving syslog error mesaage to a windows box

So windows doesn't (to my knowledge) have a built in syslog daemon of any kind (Windows event logs are entirely different)

So the first question to ask your audit people is what syslog software do they want you to run on the windows system? And (possibly) who is going to pay for it?

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Trng
Super Advisor

‎05-20-2011 04:26 AM

‎05-20-2011 04:26 AM

Re: moving syslog error mesaage to a windows box

Hi ,

As I mentioned. I need to move syslog errors to another server having enough space.how to do? .
administrator
0 Kudos
Reply
Bob_Vance
Esteemed Contributor

‎05-20-2011 05:30 AM

‎05-20-2011 05:30 AM

Re: moving syslog error mesaage to a windows box

If you just want to copy the current syslog, assuming that you have SSH installed on the Unix box, you can use PuTTY (with PSCP) or WinSCP (both free) on the Windows box to copy files from the Unix box.

Duncan was referring to configuring syslogd on the Unix box to send the syslog messages, as they occur, dynamically over to the Windows box. For that, you need a syslog *server* on Windows and must configure the syslogd on the Unix to send them there.



bv
"The lyf so short, the craft so long to lerne." - Chaucer
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-21-2011 10:18 AM

‎05-21-2011 10:18 AM

Re: moving syslog error mesaage to a windows box

It seems that you have two problems:

1. The auditors want syslog archived and not truncated, and

2. You are running out of space for local syslog.

It may be more helpful to analyze what is filling syslog. You may find that most of it is not useful and can be diverted. The syslog.conf file has to ability to parse messages into different file. Here is a syslog.conf file that separates auth, ftp, ems, kern, lpr and daemon messages into separate files. This should reduce syslog growth considerably.

*.info;mail.none;local0.none;local1.none;local5.none;auth.none;lpr.none;daemon.notice;kern.notice /var/adm/syslog/syslog.log

mail.debug /var/adm/syslog/mail.log
local0.info /var/adm/syslog/krsd.log
local1.info /var/adm/syslog/ems.log
local5.info /var/adm/syslog/ftpd.log
auth.info /var/adm/syslog/auth.log
lpr.info /var/adm/syslog/lpr.log
daemon.info /var/adm/syslog/daemon.log
kern.info /var/adm/syslog/kern.log

*.alert console
*.alert root

*.emerg *

And one more change for ntp: Edit the xntpd start script (/etc/rc.config.d/netdaemons) to add a different log for ntp:

export XNTPD_ARGS="-l /var/adm/xntpd.log"

This will remove the ntp status messages from syslog.log.

BIG NOTE: Unlike other log files, syslog.log defines a space as a comment no matter where the space appears. Use *ONLY* tab to separate items in syslog.conf. To check your resultant file, use cat -t:

*.info;mail.none;local0.none;local1.none;local5.none;auth.none;lpr.none;daemon.notice;kern.notice^I/var/adm/syslog/syslog.log

mail.debug^I/var/adm/syslog/mail.log
local0.info^I/var/adm/syslog/krsd.log
local1.info^I/var/adm/syslog/ems.log
local5.info^I/var/adm/syslog/ftpd.log
auth.info^I/var/adm/syslog/auth.log
lpr.info^I/var/adm/syslog/lpr.log
daemon.info^I/var/adm/syslog/daemon.log
kern.info^I/var/adm/syslog/kern.log

*.alert^I^Iconsole
*.alert^I^Iroot

*.emerg^I^I*

Now you can decide how to trim or transfer the repetitive logs.


Bill Hassell, sysadmin
0 Kudos
Reply
Trng
Super Advisor

‎05-23-2011 06:46 PM

‎05-23-2011 06:46 PM

Re: moving syslog error mesaage to a windows box

Hi All,

thanks for the nice answers,but still my requirement not met...let me explain my requirement once again ..


i want to move all access denied/access allowed entries/critical errors to another server whcih should have unix admin access .

I am sure we can do this by implimenting a syslog server unfortunately i dont know how to do it ...is it possible to configure syslog server on windows server which can accept unix syslog ?..


rgds,suresh

administrator
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-24-2011 06:17 AM

‎05-24-2011 06:17 AM

Re: moving syslog error mesaage to a windows box

There is no support for syslog monitoring in standard Windows. Try:

www.syslog.org

A Google search will find several free and priced products that will probably work. AS far as sending just the authentication information, you can use my syslog.conf example above where auth.info is sent to a server. In fact, you can log to the auth.log locally and also send the same info to a syslog server:

auth.info /var/adm/syslog/auth.log
auth.info @my_SYSLOG_server.com


Bill Hassell, sysadmin
0 Kudos
Reply
Trng
Super Advisor

‎05-24-2011 10:07 PM

‎05-24-2011 10:07 PM

Re: moving syslog error mesaage to a windows box

Hi Bill,

i have configured /etc/syslog.conf as below (10.83.97.30 is windows )

*.info;mail.none;auth.notice @10.83.97.30
*.notice @10.83.97.30
*.warning @10.83.97.30
*.err @10.83.97.30
*.crit @10.83.97.30
*.alert @10.83.97.30
*.emerg @10.83.97.30


and i have restarted syslogd and tried logger warning from unix box ,but in windows i couldnt find any log coming from my unix box ....

rgds,trng
administrator
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎05-24-2011 10:54 PM

‎05-24-2011 10:54 PM

Re: moving syslog error mesaage to a windows box

So its not clear from your description that you actually installed anything on the windows system?

As you've been told already there is _no_ syslog server on a Windows system by default. You need to install one

There are a few out there though, such as the Kiwi syslog server:

http://www.kiwisyslog.com/kiwi-syslog-server-compare-versions/

or syslog-ng (although you also have to install cygwin on the windows system to use it):

http://www.syslog.org/logged/running-syslog-ng-on-windows/

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-25-2011 09:38 AM

‎05-25-2011 09:38 AM

Re: moving syslog error mesaage to a windows box

> and i have restarted syslogd and tried logger warning from unix box ,but in windows i couldnt find any log coming from my unix box ...

Did you look at the log directory provided by the special syslog program you installed on your Windows box?

> *.info;mail.none;auth.notice @10.83.97.30
> *.notice @10.83.97.30
> *.warning @10.83.97.30
> *.err @10.83.97.30
> *.crit @10.83.97.30
> *.alert @10.83.97.30
> *.emerg @10.83.97.30

This isn't the correct syntax. The first line will log every information message (and higher) for every facility, but will exclude all mail messages and log auth messages from notice level on up. In other words, notice includes warning,err,crit,alert and emerg.

So assuming that you want every message at the info level and higher, this is all you need:

*.info;mail.none @10.83.97.30

If you want to ignore auth.info but log auth.notice and hifher, then the first line you have will work fine:

*.info;mail.none;auth.notice @10.83.97.30

But NONE OF THIS WILL WORK until you install and configure a special syslog program on your PC. Also, there can be *NO* spaces on any line is syslog.conf except for coment lines. Use tabs to separate items on the line.


Bill Hassell, sysadmin
0 Kudos
Reply
vijay alur alur
Frequent Advisor

‎08-11-2011 11:09 PM

‎08-11-2011 11:09 PM

Re: moving syslog error mesaage to a windows box

Hi guys,

 

Did anyone find any soltions regarding this problem mentioned above.

 

Even i have come  across same situation. I have to send all the syslog event's of all the HPUX Servers to a windows server.

 

 

if someone found something for this please help...

 

 

Thanks and Regards,

VA

Lead Engineer, IMS.
iGATE
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-12-2011 02:44 PM

‎08-12-2011 02:44 PM

Re: moving syslog error mesaage to a windows box

You may want to rethink using windows as the syslog server.

 

Not sure if this is a vfiable option but it might be worth a try.

Install cygwin on the WIN server. Then maybe you can install syslogng on the cygwin to collect the various syslogs.

(Not sure this will work, it is an idea.)

 

At the very least, you should be able to parse the desired output from the syslogs and then copy to the WIN server. But you will still need to install putty, winscp, etc on the WIN box to be able to copy the files, or configure FTP on the WIN system. Or configure samba on the UN*X server so WIN can access.

 

If you have to install additional software so you can collect this data, will the auditors question the additional softwarethat was installed on what could be a system that is in scope for the auditors?

 

Why does it have to be a WIN server? Do the auditors have access to this WIN server so they can review the logs on their time? If you or a team member have to present the logs to the auditors, why does it matter what system the logs are on.

 

No offense for any bias I might express but WIN and UN*X are not close friends. For WIN and UN*X to be able to perform most operations we take for granted, you must install additional software on the WIN systems. 

 

 

 

 

0 Kudos
Reply
vijay alur alur
Frequent Advisor

‎08-13-2011 01:37 AM

‎08-13-2011 01:37 AM

Re: moving syslog error mesaage to a windows box

Thanks for the reply!! Still working on it.. actually the win server is using a arcsight for logging. anyways will keep posted on the progress..... i am just curious to know why do you spell UNIX as UN*X????

 

 

Regds,

VA

Lead Engineer, IMS.
iGATE
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-13-2011 01:57 AM

‎08-13-2011 01:57 AM

Re: moving syslog error message to a windows box

>why do you spell UNIX as UN*X?

 

Most likely since UNIX is trademarked and only if you are branded can you use it.

http://www.unix.org/what_is_unix/the_brand.html

 

So it is a anti-lawyer trick.  ;-)

0 Kudos
Reply
vijay alur alur
Frequent Advisor

‎08-13-2011 02:20 AM

‎08-13-2011 02:20 AM

Re: moving syslog error message to a windows box

ok. so is it against the law to mention them?? i guees then we need to make a note in our posts mentioning that UNIX is a registered trade mark of Open Source, like we see it in product manuals. isn't it???

Lead Engineer, IMS.
iGATE
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-13-2011 02:27 AM

‎08-13-2011 02:27 AM

Re: moving syslog error message to a windows box

>so is it against the law to mention them?

 

How deep are your pockets?  :-)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.