cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Couples of Questions from an extemely new noob

Jump to solution

New to the whole world of IT and as a baby step project...I'm evaluting Syslog programs...

Is there a way to find out what devices are reporting their syslog messages? I'm trying to split the log files based on sending device...but with a few people adding in different devices...I'm not sure what/how many I'm dealing with.

Does the Kiwi Syslog have any other type of reports other than the 24 snapshot? Can we create our own reports?

I've seen some of the messages with "warning" in the message text...yet the "priority" is "user.info". Can someone explain?

 

thanks for any help.

0 Kudos
1 Solution
Level 12

Hi davenc,

Without going into too much depth, the easiest way to split log files based on sending device would be to amend your default "Log to File" action, so that the "Path and file name of Log file" includes an auto-split value.

ie. Add the %IPAdd4 (IP Address, 4 octets, zero padded) auto-split value.
C:\Logs\SyslogCatchAll_%IPAdd4.txt

This will result in one log file per device IP address.  So, instead of one single "SyslogCatchAll.txt" file, you'd get:
C:\Logs\SyslogCatchAll_192.168.110.108.txt 
C:\Logs\SyslogCatchAll_192.168.110.128.txt
C:\Logs\SyslogCatchAll_192.168.220.155.txt 
etc...

There are a variety of other auto-split value combinations that may also be of use:

To split the messages based on priority level and current date, use:
C:\Logs\%PriLevAA\MyLogFile-%DateISO.txt

The resulting path and file name would look like this:
C:\Logs\Debug\MyLogFile-2002-04-09.txt

Or you could split the messages based on the sending host, then break each host into priority level
C:\Logs\%HostName.%HostDomain\MyLogFile-%PriLevAA.txt

The resulting path and file name would look like this:
C:\Logs\myhost.mycompany.com\MyLogFile-Warn.txt

For more information on Kiwi Syslog's Log to File auto-split values:
http://www.kiwisyslog.com/help/syslog/action_log_auto_split_values.htm

For more general information on configuring devices which support the Syslog protocol:
http://www.kiwisyslog.com/help/syslog/configure_devices.htm

View solution in original post

0 Kudos
3 Replies
Level 12

Hi davenc,

Without going into too much depth, the easiest way to split log files based on sending device would be to amend your default "Log to File" action, so that the "Path and file name of Log file" includes an auto-split value.

ie. Add the %IPAdd4 (IP Address, 4 octets, zero padded) auto-split value.
C:\Logs\SyslogCatchAll_%IPAdd4.txt

This will result in one log file per device IP address.  So, instead of one single "SyslogCatchAll.txt" file, you'd get:
C:\Logs\SyslogCatchAll_192.168.110.108.txt 
C:\Logs\SyslogCatchAll_192.168.110.128.txt
C:\Logs\SyslogCatchAll_192.168.220.155.txt 
etc...

There are a variety of other auto-split value combinations that may also be of use:

To split the messages based on priority level and current date, use:
C:\Logs\%PriLevAA\MyLogFile-%DateISO.txt

The resulting path and file name would look like this:
C:\Logs\Debug\MyLogFile-2002-04-09.txt

Or you could split the messages based on the sending host, then break each host into priority level
C:\Logs\%HostName.%HostDomain\MyLogFile-%PriLevAA.txt

The resulting path and file name would look like this:
C:\Logs\myhost.mycompany.com\MyLogFile-Warn.txt

For more information on Kiwi Syslog's Log to File auto-split values:
http://www.kiwisyslog.com/help/syslog/action_log_auto_split_values.htm

For more general information on configuring devices which support the Syslog protocol:
http://www.kiwisyslog.com/help/syslog/configure_devices.htm

View solution in original post

0 Kudos

thanks for the info!

Another question.

The following message contains a 'warning' but comes up in the category of User Info. Can you tell me why?

 

2010-08-26 10:36:08        User.Info                   Aug 26 10:36:08  MSWinEventLog                1              Application         5087       Thu Aug 26 10:35:00 2010              13051    Windows Server Update Services                Unknown User N/A        Warning                       Clients                  No client computers have ever contacted the server.          998

0 Kudos

The event is either from Snare or SolarWinds Log Forwarder for Windows.

You might want to check out this RunScript:

<program files>\Syslogd\Scripts\Script_Log_snare_events_to_odbc.txt

It will parse the MSWinEventLog message format, and enable you to insert the event in to a database table.
More detailed information is available in the comments of the script.  Information on setting up a RunScript action is available in the help docs.

Hope this helps. 

0 Kudos