Difference between revisions of "Cool Solution - Eventlog to Syslog"

From Univention Wiki

Jump to: navigation, search
(Replaced content with "This page has been moved to the Knowledge Base Cool Solutions in the Forum. [https://help.univention.com/t/cool-solution-eventlog-to-syslog/12696 Cool Solution - Eventlog...")
Tag: Replaced
 
Line 1: Line 1:
{{Version|UCS=4.2}}
+
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
{{Version|UCS=4.3}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{#seo:
 
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 
<!--|description=-->
 
}}
 
  
If a central ''syslog'' logging server is used within a Univention Corporate Server (UCS) domain, one might want to connect Microsoft Windows servers and clients to it. Therefore, the [http://code.google.com/p/eventlog-to-syslog/ Eventlog-to-Syslog] service might be used.
+
[https://help.univention.com/t/cool-solution-eventlog-to-syslog/12696 Cool Solution - Eventlog to Syslog]
 
 
This article describes the setup of the service.
 
 
 
The shown procedure works for all common Windows operating systems (XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2012)
 
 
 
== Installation ==
 
 
 
=== Server side ===
 
 
 
Create a file called '''eventlog.conf''' within the directory '''/etc/rsyslog.d/''' and insert the following content:
 
 
 
<pre>
 
# Provides UDP syslog reception
 
$ModLoad imudp
 
$UDPServerRun 514
 
</pre>
 
 
 
'''Explanation:''' At first, the input module for UDP (imudp) will be loaded to provide the ability to receive syslog messages via UDP. Then the UDP port on which the server listens is defined.
 
 
 
rsyslog has powerful features, including filters. You might want to have a look at the [http://www.rsyslog.com/doc/master/index.html official documentation].
 
 
 
Save the config file and restart your rsyslog deamon:
 
 
 
<pre>
 
service rsyslog restart
 
</pre>
 
 
 
In the next step, a packet filter rule for the UDP server must be set. To do so, execute the following command:
 
 
 
<pre>
 
ucr set security/packetfilter/package/rsyslog/udp/514/all=ACCEPT
 
</pre>
 
 
 
Afterwards, restart the ''univention-firewall'':
 
 
 
<pre>
 
service univention-firewall restart
 
</pre>
 
 
 
The serverside installation is now complete.
 
 
 
=== Client side ===
 
The following steps must be executed on every client from which you want the eventlogs in your syslog file.
 
 
 
* Download the Eventlog-to-Syslog service from its [http://code.google.com/p/eventlog-to-syslog/ Website]
 
* Extract the .zip file
 
* Optional: Move the evtsys.exe somewhere more preferable, as it is going to get installed as a service.
 
 
 
'''Note:''' The next steps must be made on the commandline on your Windows Client with an Administrative user.
 
 
 
Change in the directory you extracted from the .zip file. Execute the following command while replacing [syslog server] with the IP adress of your remote logging server:
 
 
 
<pre>
 
evtsys.exe -i -h [syslog server]
 
</pre>
 
 
 
Afterwards, activate the service with
 
<pre>
 
net start evtsys
 
</pre>
 
<br>
 
'''Note:''' The following additional command has to be executed under Windows 10, to make sure, that the service will get started automatically on reboot:
 
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\EvtSys" /f /v "DependOnService" /t REG_MULTI_SZ /d eventlog\0LanmanServer\0netman
 
<br>
 
Now, you should see the first log entries on your syslog server in ''/var/log/syslog''. Log entries from your Windows clients always start with their hostname in front of the log messages.
 
 
 
== Archive ==
 
 
 
There is a version of this article for [http://wiki.univention.de/index.php?title=Cool_Solution_-_Eventlog_to_Syslog&oldid=12184 UCS 3.2].
 

Latest revision as of 14:06, 9 August 2019

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - Eventlog to Syslog

Personal tools