Mailing List Archive

For obvious reasons, I recommend the rsyslog Windows Agent ;-)

https://www.rsyslog.com/windows-agent/

Rainer

El lun., 24 ago. 2020 a las 16:17, Peter Viskup via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Does anyone have experience of handling WEC messages from Windows clients
> in (r)syslog infrastructure?
> The standard way is to install some Windows syslog agent which forwards
> Windows events to syslog infrastructure. What Windows syslog agent do you
> use?
>
> Might be interesting to see something like the imwec module.
> https://docs.microsoft.com/en-us/windows/win32/wec/using-windows-event-collector
> The same way the syslog-ng PE implemented it.
> https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.17/windows-event-collector-administration-guide/log
> They switch from developing Windows Syslog agent to WEC input module for
> syslog-ng server which I find the best way of handling this type of data
> flow.
>
> --
> Peter
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Understand. It is one of our candidates.
Just discovered one of your latest posts regarding Windows Events
forwarding. :-)
https://rainer.gerhards.net/2019/10/rsyslog-integrating-windows-event-log-via-udp.html

Still interesting whether some other users have experience with other
software.

--
Peter

On Mon, Aug 24, 2020 at 4:47 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> For obvious reasons, I recommend the rsyslog Windows Agent ;-)
>
> https://www.rsyslog.com/windows-agent/
>
> Rainer
>
> El lun., 24 ago. 2020 a las 16:17, Peter Viskup via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Does anyone have experience of handling WEC messages from Windows clients
> > in (r)syslog infrastructure?
> > The standard way is to install some Windows syslog agent which forwards
> > Windows events to syslog infrastructure. What Windows syslog agent do you
> > use?
> >
> > Might be interesting to see something like the imwec module.
> >
> https://docs.microsoft.com/en-us/windows/win32/wec/using-windows-event-collector
> > The same way the syslog-ng PE implemented it.
> >
> https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.17/windows-event-collector-administration-guide/log
> > They switch from developing Windows Syslog agent to WEC input module for
> > syslog-ng server which I find the best way of handling this type of data
> > flow.
> >
> > --
> > Peter
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

In the past I have used NxLog with success, but my most recent attempt with
their community edition has run into grief (some sort of memory error)

you should look at it, every product has problems at some point.

David Lang

On Thu, 27 Aug 2020, Peter Viskup via rsyslog wrote:

> Date: Thu, 27 Aug 2020 08:29:16 +0200
> From: Peter Viskup via rsyslog <rsyslog@lists.adiscon.com>
> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Cc: Peter Viskup <skupko.sk@gmail.com>,
> rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] handling Windows Event Messages
>
> Understand. It is one of our candidates.
> Just discovered one of your latest posts regarding Windows Events
> forwarding. :-)
> https://rainer.gerhards.net/2019/10/rsyslog-integrating-windows-event-log-via-udp.html
>
> Still interesting whether some other users have experience with other
> software.
>
> --
> Peter
>
> On Mon, Aug 24, 2020 at 4:47 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
>
>> For obvious reasons, I recommend the rsyslog Windows Agent ;-)
>>
>> https://www.rsyslog.com/windows-agent/
>>
>> Rainer
>>
>> El lun., 24 ago. 2020 a las 16:17, Peter Viskup via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > Does anyone have experience of handling WEC messages from Windows clients
>> > in (r)syslog infrastructure?
>> > The standard way is to install some Windows syslog agent which forwards
>> > Windows events to syslog infrastructure. What Windows syslog agent do you
>> > use?
>> >
>> > Might be interesting to see something like the imwec module.
>> >
>> https://docs.microsoft.com/en-us/windows/win32/wec/using-windows-event-collector
>> > The same way the syslog-ng PE implemented it.
>> >
>> https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.17/windows-event-collector-administration-guide/log
>> > They switch from developing Windows Syslog agent to WEC input module for
>> > syslog-ng server which I find the best way of handling this type of data
>> > flow.
>> >
>> > --
>> > Peter
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Strange thing, because in my "Sent" folder the message is full of
content whereas I see the posting on the list empty.

Anyways, I'll repost the contents of the original message:

"I've seen Kiwi and Solarwinds in use and the main problem is not in
generating log events as such or forwarding them later with rsyslog or
any other solution. The problem in the end is that when you receive the
events at the destination, you're probably want to parse it into some
kind of log management software.

And here is where it gets tricky because your solution might not be very
happy with the format of the message. I suggest you take a look at both
of them if you're interested and see for yourself whether it's parseable
on your end.
If I remember correctly, kiwi sends some part of the data as xml and
some as key-value part of the syslog message but Solarwinds sends the
events rendered to a simple text message. (But I haven't seen the for
quite a while so this is just my vague recollection)."

Mariusz Kruk
Ekspert ds. Bezpiecze?stwa IT
COMP S.A.
Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
e-mail: mariusz.kruk@comp.com.pl
e-mail: mariusz.kruk@safecomp.com
tel: +48 608 623 299

On 27.08.2020 09:03, mariusz.kruk--- via rsyslog wrote:
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

That's one of the reasons why I recommend rsyslog windows Agent: you
have full control over the output format. Also, it's default format
(Adiscon EventReporter) is known by many systems because it was the
first tool ever to perform that type of work.

Rainer

El jue., 27 ago. 2020 a las 13:41, Mariusz Kruk via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Strange thing, because in my "Sent" folder the message is full of
> content whereas I see the posting on the list empty.
>
> Anyways, I'll repost the contents of the original message:
>
> "I've seen Kiwi and Solarwinds in use and the main problem is not in
> generating log events as such or forwarding them later with rsyslog or
> any other solution. The problem in the end is that when you receive the
> events at the destination, you're probably want to parse it into some
> kind of log management software.
>
> And here is where it gets tricky because your solution might not be very
> happy with the format of the message. I suggest you take a look at both
> of them if you're interested and see for yourself whether it's parseable
> on your end.
> If I remember correctly, kiwi sends some part of the data as xml and
> some as key-value part of the syslog message but Solarwinds sends the
> events rendered to a simple text message. (But I haven't seen the for
> quite a while so this is just my vague recollection)."
>
> Mariusz Kruk
> Ekspert ds. Bezpiecze?stwa IT
> COMP S.A.
> Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
> e-mail: mariusz.kruk@comp.com.pl
> e-mail: mariusz.kruk@safecomp.com
> tel: +48 608 623 299
>
> On 27.08.2020 09:03, mariusz.kruk--- via rsyslog wrote:
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hello Rainer,
just curious about the resources rsyslog windows agent requires. Maybe in
comparison to nxlog or others.
We are facing issues with getting the IIS logs from Windows hosts. They log
to plain text files as writing to Windows EventLog caused performance
issues.
How much resources does the rsyslog windows agent consume? How does it
perform for this type of plain text file processing? Do you have some
numbers to count on?

Did someone compare rsyslog windows to nxlog or other syslog forwarding
tool?

--
Peter

On Thu, Aug 27, 2020 at 2:18 PM Rainer Gerhards via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> That's one of the reasons why I recommend rsyslog windows Agent: you
> have full control over the output format. Also, it's default format
> (Adiscon EventReporter) is known by many systems because it was the
> first tool ever to perform that type of work.
>
> Rainer
>
> El jue., 27 ago. 2020 a las 13:41, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Strange thing, because in my "Sent" folder the message is full of
> > content whereas I see the posting on the list empty.
> >
> > Anyways, I'll repost the contents of the original message:
> >
> > "I've seen Kiwi and Solarwinds in use and the main problem is not in
> > generating log events as such or forwarding them later with rsyslog or
> > any other solution. The problem in the end is that when you receive the
> > events at the destination, you're probably want to parse it into some
> > kind of log management software.
> >
> > And here is where it gets tricky because your solution might not be very
> > happy with the format of the message. I suggest you take a look at both
> > of them if you're interested and see for yourself whether it's parseable
> > on your end.
> > If I remember correctly, kiwi sends some part of the data as xml and
> > some as key-value part of the syslog message but Solarwinds sends the
> > events rendered to a simple text message. (But I haven't seen the for
> > quite a while so this is just my vague recollection)."
> >
> > Mariusz Kruk
> > Ekspert ds. Bezpiecze?stwa IT
> > COMP S.A.
> > Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
> > e-mail: mariusz.kruk@comp.com.pl
> > e-mail: mariusz.kruk@safecomp.com
> > tel: +48 608 623 299
> >
> > On 27.08.2020 09:03, mariusz.kruk--- via rsyslog wrote:
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hi Peter,

we did not do the comparison I admit. But remember that the tool stems
back to 1998 where performance was much more constraint compared to
now. Of course, APIs changed, requiring more performance. But we
always kept the tool in the spirit to use as few resources as
possible. I wrote the initial IIS file monitor myself. It has a bit
more overhead, because it handles all the "anomalies" of IIS log files
(nul byte padding to name a specific one), but I would really be
surprised if that uses notable resources.

Do you have any indication the rsyslog windows agent causes problems?

Rainer

El mié., 11 nov. 2020 a las 14:18, Peter Viskup
(<skupko.sk@gmail.com>) escribió:
>
> Hello Rainer,
> just curious about the resources rsyslog windows agent requires. Maybe in comparison to nxlog or others.
> We are facing issues with getting the IIS logs from Windows hosts. They log to plain text files as writing to Windows EventLog caused performance issues.
> How much resources does the rsyslog windows agent consume? How does it perform for this type of plain text file processing? Do you have some numbers to count on?
>
> Did someone compare rsyslog windows to nxlog or other syslog forwarding tool?
>
> --
> Peter
>
> On Thu, Aug 27, 2020 at 2:18 PM Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> That's one of the reasons why I recommend rsyslog windows Agent: you
>> have full control over the output format. Also, it's default format
>> (Adiscon EventReporter) is known by many systems because it was the
>> first tool ever to perform that type of work.
>>
>> Rainer
>>
>> El jue., 27 ago. 2020 a las 13:41, Mariusz Kruk via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > Strange thing, because in my "Sent" folder the message is full of
>> > content whereas I see the posting on the list empty.
>> >
>> > Anyways, I'll repost the contents of the original message:
>> >
>> > "I've seen Kiwi and Solarwinds in use and the main problem is not in
>> > generating log events as such or forwarding them later with rsyslog or
>> > any other solution. The problem in the end is that when you receive the
>> > events at the destination, you're probably want to parse it into some
>> > kind of log management software.
>> >
>> > And here is where it gets tricky because your solution might not be very
>> > happy with the format of the message. I suggest you take a look at both
>> > of them if you're interested and see for yourself whether it's parseable
>> > on your end.
>> > If I remember correctly, kiwi sends some part of the data as xml and
>> > some as key-value part of the syslog message but Solarwinds sends the
>> > events rendered to a simple text message. (But I haven't seen the for
>> > quite a while so this is just my vague recollection)."
>> >
>> > Mariusz Kruk
>> > Ekspert ds. Bezpiecze?stwa IT
>> > COMP S.A.
>> > Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
>> > e-mail: mariusz.kruk@comp.com.pl
>> > e-mail: mariusz.kruk@safecomp.com
>> > tel: +48 608 623 299
>> >
>> > On 27.08.2020 09:03, mariusz.kruk--- via rsyslog wrote:
>> > > _______________________________________________
>> > > rsyslog mailing list
>> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.