Recent Posts

Hi, what you are looking for is using wildcards in the filename (http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_file), but this feature is currently available only in the commercial syslog-ng Premium Edition.

Just to clarify - you have set the windows audit policy to monitor file & folder activity, and you see the results in eventlog, but those logs are not being passed to snare?

I suspect Snare may not be set to capture those.  I wonder if ntsyslog would?

We are trying to use SNARE for Windows to send events to a Syslog server. The problem seems to be that SNARE is not grabbing file/folder activity. We have it set to capture these and these events do show in the Windows Event  log but SNARE is not showing any activity. I am using SNARE 3.1.3 and have tried 3.1.7 but still no luck.
Any one have any success with this? Perhaps there is a different Event capture utility to try?

Thanks a lot for your help. Let me test few things and I will come back with my question later.

Ok, I am happy to help you.  Can you explain more of what you want to do?  I am sorry, but I do not understand.

i guess by using the  match pattern ...

ok. i was thinking what information i can get out from /var/log/messages ??

First, let's clean it up to only what you're using:

Code:

options {
   create_dirs (yes);

};

source s_local {
          unix-stream ("/dev/log");
          internal();
};

filter f_info { level(info..emerg); };
filter f_auth { facility(auth, authpriv); };

destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

log { source(s_local); filter(f_auth); filter(f_info); destination(d_network);  };

Assuming that does what you want, the filter can be consolidated, or it can be left as it is.

Yes the first post is the complete file

@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#

options {
   create_dirs (yes);

};

######
# sources
source s_local {
# message generated by Syslog-NG
          unix-stream ("/dev/log");
          internal();

};


######
# destinations
#destination d_mesg  { file("/var/log/messages"); };
destination d_auth  { file("/var/log/secure"); };



# Level Filters
filter f_info { level(info..emerg); };
filter f_note { level(notice..emerg); };
filter f_warn { level(warn..emerg); };
filter f_errs { level(err..emerg); };
filter f_emer { level(emerg); };


#########################

# Facility Filters
filter f_auth { facility(auth, authpriv) and filter(M_auth); };
#filter f_logs { facility(syslog); };



destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

###############
log { source(s_local); filter(f_auth); filter(f_info); destination(d_network);  };
#log { source(s_local); filter(f_logs); filter(f_note); destination(d_mesg);  };
#log { source(s_local); filter(f_ssh); filter(f_info); destination(d_hosts);  };

#log {
#source(s_local);
#destination(d_network);
#};