0 Replies Latest reply on Feb 8, 2011 3:35 AM by xilu87

    Windows Server 2008 Subscriptions + SolarWinds Log Forwarder for Windows + Syslog-ng

      Dear members,

      I had configured a Windows Server 2008 R2 64bit Event Subscription.
      http://www.sysadminlab.net/windows/forward-event-log-from-several-server-to-a-central-windows-2008-server

       

      I use SolarWinds Log Forwarder for Windows. I add an  EventLogSubscription "ForwardedEvents", and a SyslogServer. My syslog server is Syslog-NG. My syslog-ng server timestamp and enchript the logs and forwarded it to an Syslog Analysator.

       

      The problem:

      I Recive the following log on Syslog-ng 

       

      Feb  8 09:10:59 10.254.204.66 févr.: 08 09:07:30 HUNSVDC001 MSWinEventLog       5       Security        239     mar. févr. 08 09:06:02 2011     673     Security      S-1-5-18        N/A     Audit Success   HUNSVDC001      9       Service Ticket Request:

              User Name:              user

              User Domain:            domain

              Service Name:           HUNSLW3P11$

              Service ID:             %{S-1-5-21-1291854300-800608146-227697207-64185}

              Ticket Options:         0x40810000

              Ticket Encryption Type: 0x17

              Client Address:         10.254.204.42

              Failure Code:           -

              Logon GUID:             {2b5b358a-bfcf-6428-1f0b-6c326d370511}

              Transited Services:     -

      Feb  8 09:10:59 10.254.204.66 févr.: 08 09:07:30 HUNSVDC001 MSWinEventLog       5       Security        240     mar. févr. 08 09:06:03 2011     673     Security      S-1-5-18        N/A     Audit Success   HUNSVDC001      9       Service Ticket Request:

              User Name:              user

              User Domain:            domain

              Service Name:           HUNSVDC002$

              Service ID:             %{S-1-5-21-1291854300-800608146-227697207-60176}

              Ticket Options:         0x40810000

              Ticket Encryption Type: 0x17

              Client Address:         10.254.204.42

              Failure Code:           -

              Logon GUID:             {82fc095e-e762-cd2d-ecdb-2cd1ec0804ab}

              Transited Services:     -

      I recive all events as 10.254.204.66 and not as HUNSVDC001 or HUNSVDC00 or other valid source host.

      How can I configure the SolarWinds Log Forwarder for Windows Software to forward the event.

       

       

      My configuration:

      <?xml version="1.0" encoding="utf-8"?>

      <LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1.1.13">

        <EventLogSubscriptions>

          <EventLogSubscription>

            <channels>

              <string>ForwardedEvents</string>

            </channels>

            <types>

              <int>1</int>

              <int>2</int>

              <int>4</int>

            </types>

            <sources />

            <eventIDs />

            <categories />

            <keywords />

            <users />

            <computers />

            <facility>13</facility>

            <enabled>true</enabled>

            <name>New Event Log Subscription</name>

            <description>Forwardedevents</description>

          </EventLogSubscription>

        </EventLogSubscriptions>

        <SyslogServers>

          <SyslogServer>

            <serverName>New Syslog Server</serverName>

            <IPAddress>10.254.204.47</IPAddress>

            <Port>514</Port>

            <enabled>true</enabled>

          </SyslogServer>

        </SyslogServers>

        <DebugMode>false</DebugMode>

      </LogForwarderSettings>