Syslog daemon for Windows Eventlog

I get more than one log for each event

1:20 18 Sep '08

Open up a DOS prompt and type something like: `> c:\windows\microsoft.net\framework\v2.0.50727\installutil.exe Syslogd.exe` The version of the path depends on your active/installed .NET framework.
Sign In·View Thread·PermaLink

syslogd

zagnut

20:09 24 Apr '08

Hi, Thanks for posting this work. I was also looking for a tool to use with my OpenWrt firmware. Works great. Nate
Sign In·View Thread·PermaLink

wyx2000

14:52 18 Oct '07

mail error <19>Sent: Queue-ID: 4717f13d-000ad48f, Recipient: , Result: delivered, Status: 2.0.0 mail info <22>Sent: Queue-ID: 4717f13d-000ad48f, Recipient: , Result: delivered, Status: 2.0.0 mail error <19>Sent: Queue-ID: 4717f13d-000ad48f, Recipient: , Result: delivered, Status: 2.0.0
Sign In·View Thread·PermaLink

Re: I get more than one log for each event

any idea how to ge host name and timestamp?

1:39 19 Oct '07

Maybe your source is sending events more than 1 time..... The syslog program has no error, as far as I know
Sign In·View Thread·PermaLink

wyx2000

14:30 18 Oct '07

..
Sign In·View Thread·PermaLink

Re: any idea how to ge host name and timestamp?

1:55 19 Oct '07

Everytime an event is logged, you have a great timestamp!!!

On the hostname thing, you could use something as:

using System.Net;
....
string strIpAddress = ((IPEndPoint)endPoint).Address.ToString();
IPAddress hostIPAddress = IPAddress.Parse(strIpAddress);
IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);
string strHostName = hostInfo.HostName.ToString();
....

Did not test it, but it should work.

syslogs....

2:21 17 Jul '07

hi there,

i am making an event management tool in C#.

my project consiste of three phases i.e. evnt mgmt for windows cisco n linux. im already over with the windows part. Now i want to extend dis tool for cisco and linux i.e. syslogs.

but i m just not able to do that. i saw ur code of syslog daemon...and found that it can help me.
but der is a problem.

C i am directing the logs from a cisco switch to my syslog server. there i even installed the syslog service.

After that in the event viewer i have new category of events ....syslogs.

In this there are logs but htey contain dis msg in all of dem..."local3.error %PIX-3-305005: No translation group found for udp src"..i am jus not gettin how to proceed....n how ur program can help me.

please kindly guide me................i'l b highly greatful to you.............!!!

Thanks in advance....!!!

ankita

3:04 17 Jul '07

Hello Ankita,

Thanks for asking for help.

I think the syslog program is working correctly.
If there is a syslogs eventlog queue, which contains these
'local3.error' messages, everything is working fine.

Your your router / firewall NAT service on your Cisco is telling you, there is something you should take care of! This is the solely purpose of the syslog system.

Google on '%PIX-3-305005: No translation group found for udp src' to find some answers on these messages coming from your Cisco.

If it is directly related to the syslog protocol itself, you have to add some firewall rules for UDP port 514.

But i'm no expert on Cisco routers, I'm sorry.

Good luck.

-Alphons.

3:33 17 Jul '07

hi...
thx for the reply. but its like...i installed ur demo project.

syslogd ws installed as a sevice.

but when it went to the application that is syslogd.cs...it gave an error..."Only one usage of each socket address (protocol/network address/port) is normally permitted"....what is this now.

although a new event type is created in my windows event viewer syslog...where all d cisco logs are entered...but y dis error. please help

ankita

3:43 17 Jul '07

Hello Ankita, There can only be one Service running on port 514. If there is already a program installed, you have to stop the service, en then (re)install. But this is not related to syslog, it is a socket issue. hope it will help. -Alphons.
Sign In·View Thread·PermaLink

3:49 17 Jul '07

hi alphons...thx 4 such a quick response.... but m really not able to understand. c i hav a cisco pix... and i have a syslog server wid a certain ip 222.222.222.222(say) now i have ur code syslog_src. what do i do to recieve the logs from this cisco pix....??? and how to analyze them....please guide me from the beginnin...m not able to understand anythin..... kindly help... ankita
Sign In·View Thread·PermaLink

4:51 17 Jul '07

Hello again,

The syslogd program is a logging program. It translates UDP packets to Windows event log entries. If it is started, pref. as a service. It listens on port 514 for UDP packets. So compile, or use the demo. And install the syslogd program on your server. I think you have it already running Wink

If a device, lets say a Cisco Pix is able to generate syslog messages, it has to know where to send those messages. So you have to configure, at the Cisco device, to use 222.222.222.222 as the IP number to send its syslog messages.

You started this discussion, saying something like logging "local3.error %PIX-3-305005: No translation group found for udp src" messages. So I think, you already have the program running, and is doing a good job!!!

Analysing the entries, is not a big deal. Only read what the message say, and Google on the message if it is an error.

Hope you will understand the program / syslog system a little bit better now.

-Alphons.

20:47 17 Jul '07

hi...

yes in the cisco device all the logs are directed to this ip 222.222.222.222.
and i am recieving these logs in my server in syslog category.

i unzipped the demo of dis project and installed the install.cmd. after this the syslogd service wass started then i clicked on the syslogd.exe to run the application. When i did so it generated this error .................
"Cannot start the service from command line or debugger. A windows service must be first installed (using installutil.exe)and then started with the server explorer, Windows service administrative tool or the net start command"
and when i compile it, it generates this error.."Only one usage of each socket address (protocol/network address/port) is normally permitted"...

I am not able to understand why dis error is generated.

The other thing inspite of the code generating error..the logs are logged in syslog....with the proper event types. for example th debug type is converted to information...notification is also converted to information all dis is done. y is dis happenin then?

kindly guide...

sorry 4 the trouble....!!

ankita

23:29 17 Jul '07

Hello Ankita,

No trouble at all.

If you ran the install.cmd the service is already started. So you don't have to run syslogd.exe manually. Thats why you are getting the error message. When compiling and running the test program, the same program tries to bind itself to the socket. But because the program already runs (as a service) and is already bind to the socket, you get the other error. Maybe I had to build in some message like: "The program is already running!!".

So again, I think all is working fine now. Just read the entries in the event-log and C what you can do about it, or maybe just have a big smile, because there are no errors logged in syslog... Laugh

have a wonderful day!

-Alphons.

0:17 18 Jul '07

hey alphons...

thx a ton.....!!!

a real big problem is solved for me...actually m on my interns and m developin an event managemnt tool.

i am already over with the windows part and now i have to proceed with the event log monitoring for cisco and linux.

i tested your application with cisco pix....n gr888 it wrks.....!!!

now i just hav to analyse the message part of these logs...and make the database entry accordingly.

now next i would need to track the logs for unix hosts also..
i guess the same code will work for unix hosts also...right??

anyways.....a big thanx to you.......!!!

i actually had no idea how to collect logs for cisco n unix....u wer a big time help to me.....!!

gud day

High memory usage

hyujin

6:06 25 Apr '07

This tool needs 12.132K of Memory Usage?! A little high, compared with explorer.exe that uses almost the same Memory.

Could you remove from every events the part "Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie."

One question, why my router events always start with 192.168.1.1:3072?
what means the 3072? Is it the Event ID?

Thank you very much,
Will be a excellent help to log the router events.

Re: High memory usage

Re: OnStop doesn't trigger [modified]

13:02 27 Apr '07

Memory Usage? Hey, this is .NET, meaning a "Hello World" console program takes at least 4 MB, so blame Microsoft. Although i agree it eats far to much memory.

The "Zie help en ondersteuning..." part has something to do with the language settings. I think you took the compiled demo, which is compiled using a Dutch OS. Try building our own program using your own OS settings.

The 3072 is the UDP source portnumber of the client which sends the syslog packets. Together with the IP number it is in fact, the Endpoint.

Hope my info will help you.

OnStop doesn't trigger

NRworld

6:01 28 Mar '07

Hi,

I wrote a simple service to write current time to log file when system starts and shutdown
OnStop works when I stop service manually but if system shuts down I don't see any entry in the log. Please help me.


    public partial class Service1 : ServiceBase
    {
        System.IO.StreamWriter file;

        public Service1()
        {
            InitializeComponent();
        }

        protected override void OnStart(string[] args)
        {
            DateTime dt = DateTime.Now;
            file = new StreamWriter(new FileStream("F:\\ServiceTest.log", System.IO.FileMode.Append));
            this.file.WriteLine("Starting Service at " + dt.ToString());
            this.file.Flush();
        }
        protected override void OnStop()
        {
            DateTime dt = DateTime.Now;
            this.file.WriteLine("Stopping Service at " + dt.ToString());
            this.file.Flush();
            this.file.Close();
        }