[logs] NT/2K syslog client follow-up

From: H C (keydet89at_private)
Date: Mon Apr 08 2002 - 12:50:37 PDT

Next message: bretwatsonat_private: "[logs] logger clone for Windows?"

Previous message: Gary.Smithat_private: "[logs] RE: NT/2K syslog clients"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To everyone who responded with input to my original
post, thanks.  I know for many, the whole idea of why
you'd want to use syslogging, or which is the server
and which is the client can be confusing, but I
appreciate all the responses I received.

As a follow-up, the issue didn't seem to be the
clients after all, but rather the server.  SL4NT had
already been installed and was running.  In reviewing
the configuration, it had been set up to collect
syslog only from one specific IP address.  Once I
uninstalled Kiwi (which is a great product that I've
used before, and seems to be a bit more configurable
than SL4NT...for example, you can have it email you
syslog statistics only), and made the necessary config
changes to SL4NT, things went smoothly.

A couple of lessons that I'll pass on (and if someone
can correct what I've seen, that would be great):

1.  Each client is different.  I installed
EventReporter on my workstation, and NTSyslog on
another system.  This makes for interesting log files,
as the two have different information in their
messages.  For example, NTSyslog send the event ID in
hex, while EventReporter sends it as a number (528,
538, etc), but in a different location.

2.  None of the clients I've tried will go through the
EventLog and send out any current events in syslog
messages.  Therefore, while the events are sent off of
the box, they also remain in the local system's
EventLog.

3.  EventReporter's default polling time is 60
seconds.  Which means it doesn't send out entries as
they arrive.  The polling interval can be reduced, but
the Win32 API that "watches" for new events doesn't
really consume a great deal of CPU time.

4.  In order to get what I want with regards to 2 & 3,
I guess I'm going to have to "roll my own", as it
were.  ;-)

Again, thanks for everyone's replies.  Once I get
further into email alerting and parsing, I'll provide
more info.





__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: bretwatsonat_private: "[logs] logger clone for Windows?"
Previous message: Gary.Smithat_private: "[logs] RE: NT/2K syslog clients"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 19:36:03 PDT