-
Title
syslog-ng Windows Event Collector: The hostname of the received logs is the collector machine's name instead of the sender host -
Description
syslog-ng Windows Event Collector: The hostname of the received logs is the collector machine's name instead of the sender host -
Cause
The syslog-ng WEC receives the log messages in XML format and forwards them to the syslog-ng Premium Edition (PE) server.
Because of the non-syslog (XML) log format, syslog-ng PE does not parse the incoming log and puts the whole log in the message part and generates a new header for it.
The new header will include the timestamp of the reception and the sender host that is the syslog-ng WEC.
-
Resolution
Syslog-ng PE parses the XML message into key-value pairs.
The name of the sender host is parsed into .PREFIX.Event.System.Computer key, where PREFIX is "windowsevent" by default.
It can be changed with prefix() option in the windowsevent() source.The solutions use that key to modify the log message.
Resolution 1 - Keeping XML format
Adding rewrite rule in the log path.
rewrite r_hostname_wec {
set("${.windowsevent.Event.System.Computer}", value("HOST"));
};
log { source(s_wec); rewrite(r_hostname_wec); destination(d_syslogsrv); };
Resolution 2 - Converting message into different format
Configure a template for the remote destination, for example JSON formatted message part using IETF syslog protocol.
template t_wec {
template("${ISODATE} ${.windowsevent.Event.System.Computer} $(format-json --scope dot-nv-pairs)\n");
};
destination d_remotesrv { syslog("10.10.10.10" template(t_wec)); };
-
Additional Information
Syslog-ng PE macros and templates: Administration Guide