[Logwatch] log entries from windows

Systems Administrator sysadmin@sunet.com.au
Tue, 11 Mar 2003 09:29:33 +1100


    It makes me wonder if the Windows log format hasn't done something
slightly differently.  For example, it appears that the Unix log line has a
":" just after the [] bit, whereas Windows doesn't.  There could be a regex
in Logwatch which depends on it being there.  You may want to investigate
that.

    Thanks,

Tim Nelson
Systems Administrator
Sunet Internet
Tel:  +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au
----- Original Message -----
From: "Lori Homsher" <lhomsher@jjsheeran.com>
To: <logwatch@logwatch.org>
Sent: Tuesday, March 11, 2003 4:03 AM
Subject: [Logwatch] log entries from windows


> I'm trying to setup a script to handle Windows log entries. Can someone
> confirm whether or not I'm moving in the right direction?
>
> Background: I have log entries from 2 hosts -- one is unix (bethany) and
> the other is windows (hyperion). The unix scripts are working fine, but I
> can't get the windows scripts to pick up any data. Seems like my logwatch
> config is only picking up bethany log entries. Do I need to change the
> default logwatch config to get it to recognize other hosts? My
> logwatch.conf says "the default is to report on all log entries,
regardless
> of its source host". I think I'm missing some basic understanding
somewhere...
>
> If you'd like more info, here it is:
>
> Here is a sample of my log file showing each host:
>
> Mar 10 10:37:04 hyperion security[failure] 529 NT AUTHORITY\SYSTEM  Logon
> Failure:  Reason:Unknown user name or bad password  User
> Name:lhomsher  Domain:HYPERION  Logon Type:2  Logon
> Process:User32    Authentication Package:Negotiate  Workstation
Name:HYPERION
> Mar 10 12:29:10 bethany sshd(pam_unix)[10101]: session opened for user
> lhomsher by (uid=0)
>
> Here are the steps I've completed:
> 1. I created a 'security' script in log.d/scripts/services (I also tried a
> 'hyperion' script). The script contains only the following lines:
>    while (defined($ThisLine = <STDIN>)) {
>      push @OtherList,$ThisLine;
>    }
>     print "\n** security script**\n";
>     print @OtherList;
>
> 2. I created a 'security.conf' file in log.d/conf/services.
>
> 3. I'm running logwatch.pl --range today --print and getting the following
> on the new section:
>   --------------------- hyperion - security.conf Begin
> ------------------------
>   ** security script**
>   ---------------------- hyperion - security.conf End
> -------------------------
>
> 4. If I change security.conf to list all services, it lists everything
> EXCEPT the hyperion entries.
>
> Thanks!
> Lori
>
>
> _______________________________________________
> Logwatch mailing list
> Logwatch@logwatch.org
> http://list.logwatch.org/lists/listinfo/logwatch
>