logwatch 'windows' service

hattori.hanzo · 11-15-2008, 06:30 AM

I got a centralized syslog box (centos 5, syslog-ng) setup and have added some syslog feeds (via evtsys.exe from purdue university) from windows servers.

Code:

[hh@box1 conf]$ sudo logwatch --logfile /var/log/HOSTS/aaa.bbb.ccc.ddd/2008/10/15/windows --debug medium --service windows
Logwatch is not configured to use logfile: /var/log/hosts/aaa.bbb.ccc.ddd/2008/10/15/windows

I keep getting an error messaging saying logwatch is not configured to use the logfile. Is their anything special which needs to be configured for logwatch to process windows syslog events? I checked the logwatch 'services' directory and can see the 'windows' perl script and also the window.conf is on the box.

Logwatch processes all my other logs without issues or configuration.

regards

unSpawn · 11-15-2008, 06:35 AM

Check windows.conf for the right names slash globbing?

hattori.hanzo · 11-15-2008, 07:30 AM

Thanks. I got logwatch to parse the files. Looks like logwatch doesnt like directories named as 'all caps' in the path to the log files.

Unfortuantely, the logwatch report doesnt not make sense. Looks like the parsing did not like the format of the windows syslog file.

I am using syslog-ng, I wonder if this could be a problem.

edit: looks like this format is required:

Quote:

($month, $day, $time, $host, $process, $eventid, $msg) = split(/\s+/, $line, 7);

regards,

cmnorton · 12-29-2008, 09:54 AM

I found some interesting links relating to this topic:

http://lists.sans.org/pipermail/unis...ly/026571.html
http://lists.sans.org/pipermail/unis...ly/026572.html

hattori.hanzo · 12-30-2008, 07:35 PM

Thanks. Those are good alternatives.