Difference between revisions of "Cool Solution - Eventlog to Syslog"

From Univention Wiki

Jump to: navigation, search
Line 1: Line 1:
If a central Syslog logging server is used within a Univention Corporate Server (UCS) domain one might want to connect Microsoft Windows servers and clients to it. Therefore, the [http://code.google.com/p/eventlog-to-syslog/ Eventlog-to-Syslog] service might be used. This article describes the setup of the service.
+
{{Review-Status}} {{Cool Solutions Disclaimer|Repository=no|UCS=3.2}}
 +
If a central ''syslog'' logging server is used within a Univention Corporate Server (UCS) domain, one might want to connect Microsoft Windows servers and clients to it. Therefore, the [http://code.google.com/p/eventlog-to-syslog/ Eventlog-to-Syslog] service might be used.
 +
 
 +
This article describes the setup of the service.
 +
 
 +
The shown procedure works for all common Windows installations (XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2012)
  
 
== Installation ==
 
== Installation ==
  
Download the Eventlog-to-Syslog service from the [http://code.google.com/p/eventlog-to-syslog/ Website] and move it to the Microsoft Windows machines you want to install it on. To install it you need to be either within the "Domain Admins" group or a local Administrator on the machine. The following command writes the configuration of the service:
+
=== Server side ===
 +
 
 +
Create a file called '''eventlog.conf''' withing the directory '''/etc/rsyslog.d/''' and insert the following content
 
<pre>
 
<pre>
evtsys.exe -i -h [syslog server]
+
# Provides UDP syslog reception
 +
$ModLoad imudp
 +
$UDPServerRun 514
 +
</pre>
 +
'''Explanation:'''At first, the imupd module will be loaded to provide the ability to receive syslog messages via UDP, next the port on which the UDP server is listening is defined.
 +
Save the config file and restart your rsyslog deamon.
 +
<pre>
 +
service rsyslog restart
 
</pre>
 
</pre>
 
+
In the next step, a packet filter rule for the UDP server must be set. To do so, execute the following command:
Afterwards you might need to copy the files:
 
 
 
 
<pre>
 
<pre>
evtsys.cfg
+
ucr set security/packetfilter/package/rsyslog/udp/514/all=ACCEPT
evtsys.dll
 
evtsys.exe
 
 
</pre>
 
</pre>
 
+
Afterwards, restart the ''univention-firewall''
to the Windows System folder. On Microsoft Windows XP:
 
 
<pre>
 
<pre>
C:\WINDOWS\system32
+
service univention-firewall restart
 
</pre>
 
</pre>
 +
The serverside installation is now complete.
  
== Enable the Eventlog ==
+
=== Client side ===
=== Graphical ===
+
The following steps must be executed on every client from which you want the eventlogs in your syslog file.
  
To enable the Eventlog on Microsoft Windows XP open the system settings, click on ''"Administrative Tools"'' and then click ''"Local Security Policy"''. There you can enable the Monitoring Services needed.
+
* Download the Eventlog-to-Syslog service from [http://code.google.com/p/eventlog-to-syslog/ Website]
 +
 
 +
'''Note:''' The next steps must be made on the commandline on your Windows Client with and Administrative user.
 +
 
 +
After you extracted the files from the archive. Change in the directory of the file ''evtsys.exe'' and executed the following:
  
=== From CMD ===
 
First Create a config file
 
sec.inf
 
with the following content
 
 
<pre>
 
<pre>
[Unicode]
+
evtsys.exe -i -h [syslog server]
Unicode=yes
 
[Version]
 
signature="$CHICAGO$"
 
Revision=1
 
[Profile Description]
 
Description=Standard-Sicherheitseinstellungen (Windows Professional)
 
[Event Audit]
 
AuditSystemEvents = 1
 
AuditLogonEvents = 2
 
AuditObjectAccess = 3
 
AuditPrivilegeUse = 0
 
AuditPolicyChange = 0
 
AuditAccountManage = 0
 
AuditProcessTracking = 0
 
AuditDSAccess = 0
 
AuditAccountLogon = 0
 
 
</pre>
 
</pre>
A status-code 1 means successful attempts are logged, 2 means unsuccessful, 3 means both. When saving make sure to save it in unicode and to use Windows Linefeeds.
 
  
Copy the file to
+
Afterwards, activate the service with
C:\Windows\security\Database\
+
<pre>
import the file with the following command
+
net start evtsys
secedit /import /db secedit.sdb /areas SECURITYPOLICY /cfg sec.inf
+
</pre>
for older Versions of Microsoft Windows it might be better to use the configure command on a different database:
 
secedit /configure /db mydatabase.sdb /areas SECURITYPOLICY /cfg sec.inf
 
 
 
 
 
 
 
== Receiving with Syslog ==
 
  
It might be advisable to setup a proper logging server instead of using the standard syslog. However, if you want to receive events with syslog edit the file <tt>/etc/default/syslog</tt> and change:
+
Now, you should see the first log entrys on your syslog server. Log entrys from your Windows clients always start with their hostname in front of the log messages.
SYSLOGD=""
 
to
 
SYSLOGD="-r -m0"
 
and restart the daemon
 
/etc/init.d/sysklogd restart
 

Revision as of 09:33, 2 September 2014

Note: This article is not yet reviewed.
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

If a central syslog logging server is used within a Univention Corporate Server (UCS) domain, one might want to connect Microsoft Windows servers and clients to it. Therefore, the Eventlog-to-Syslog service might be used.

This article describes the setup of the service.

The shown procedure works for all common Windows installations (XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2012)

Installation

Server side

Create a file called eventlog.conf withing the directory /etc/rsyslog.d/ and insert the following content

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Explanation:At first, the imupd module will be loaded to provide the ability to receive syslog messages via UDP, next the port on which the UDP server is listening is defined. Save the config file and restart your rsyslog deamon.

service rsyslog restart

In the next step, a packet filter rule for the UDP server must be set. To do so, execute the following command:

ucr set security/packetfilter/package/rsyslog/udp/514/all=ACCEPT

Afterwards, restart the univention-firewall

service univention-firewall restart

The serverside installation is now complete.

Client side

The following steps must be executed on every client from which you want the eventlogs in your syslog file.

  • Download the Eventlog-to-Syslog service from Website

Note: The next steps must be made on the commandline on your Windows Client with and Administrative user.

After you extracted the files from the archive. Change in the directory of the file evtsys.exe and executed the following:

evtsys.exe -i -h [syslog server]

Afterwards, activate the service with

net start evtsys

Now, you should see the first log entrys on your syslog server. Log entrys from your Windows clients always start with their hostname in front of the log messages.

Personal tools