Syslog in 2.2.10

Started by hoover30, November 02, 2018, 05:07:32 PM

Previous topic - Next topic

hoover30

 I am new to NetXMS, after installing NetXMS 2.2.10. I have noticed that EnableSyslogDaemon is not in the system configuration. According to the forum, https://www.netxms.org/forum/configuration/syslog-basics/, in order to use the syslog server EnableSyslogDaemon needs to be set to 1.
I a have a parser.xml file on the client. Upon running nxagent.exe -c <path to nxgentd.conf> -D 9 I am able to see the logwatch.nsm subagent start successfully however I am not seeing any sys logs populate into the server. In the nxagent.conf I have *LOGWATCH with the parser=<path to parser.xml> file at the bottom of the nxgentd.conf file. Below is the parser configuration file. I do not have a parser file created on the server. There was a firewall rule created at the installation of the server. I have enabled EnableSyslogReceiver and restart NetXMSCore service. Is there any additional configuration that needs to be completed to be able to see syslog from windows event log on the NetXMS Syslog? I want be able to view windows event logs in NetXMS Syslog. Any assistance will be highly appreciated.

gdodd

I am fairly certain you will need a third party utility to send Windows Event logs to NetXMS in syslog format.

Here is my understanding of the two parsers.

On the agent, the parser (which is the *LOGWATCH) will look at the configured log and send a message for the server to create a NetXMS Event (as in, the events configured under Configuration/Event Configuration). You will not see this under Monitor/Syslog as the message is not syslog. You would see this under Monitor/Events. In other words, *LOGWATCH does not generate syslog messages, it generates NetXMS Events.

On the server, the Syslog Parser will parse incoming syslog messages (which again, are not related to the above parser) and create a NetXMS event based on the criteria.


Tursiops

As gdodd said, you will need a tool like https://nxlog.co/products/nxlog-community-edition to forward Windows Event Log messages to a syslog server, as Windows Events and syslog (which is used on pretty much anything but Windows) are completely different formats.

Depending on what you want to do, using Logwatch may be sufficient.
The NetXMS agent monitors the Event Log for specific messages. Once such a message is found, the agent triggers a NetXMS Event on the NetXMS server.
Those events can then be processed via NetXMS Event Processing Policies for alerting or actions.
For our use case, Logwatch is all we need (i.e. we're not using nxlog or any other tool like it).

But if you really want/need to forward every log message from a Windows server to a centralised syslog server for storage/processing, you'll have to use a third party tool like the one mentioned.