Event Console message processing

Hello,

I have a small isue with the Event Console I can not explain…

I have 2 servers (1 ubuntu, 1 windows) both configures to send events from a custom logfile using port 514 to send events strait to the EC.

As I test I use these 2 echo commands:
echo "$(date +’%b %d %T’) $(hostname) Testapp: 504 — received a Error " >> /var/log/test.log on ubuntu
and
echo Jan 10 09:53 ns02ett20904a Testapp: 504 - received a Error >> c:/Logs/app.log on windows.

Now, I would expect to see both messages in the same way on the EC, but what I see is:
Host Rule Application Message Last Cnt.
ns02lbs20904a E504 Testapp 504 — received a Error (for the ubuntu machine)
and
E504 Testapp Jan 10 09:53 ns02ett20904a Testapp: 504 - received a Error

So the hostname is not extracted from the windows event. Sending with of without quotes in windows makes no difference.

I do use nxlog on windows to do the actual sending…

Anyone seen this before?
Should I be using the event log monitor and forward those event to the EC in stead for windows machines?

Thanx for reading and hopefully helping

Michiel

Well, took some time but managed to resolve this myself… so for anyone who might run into this issue:

Turns out that even syslogs have several formats. Check_Mk seems to like the BSD format and after wrestling with config files and dumping tcp input from 514, I manged to configure NXLog to use function to_syslog_bsd();. After restarting the windows NXLog service, things started working.

Not sure if allowed, but worth a read
Some good syslog info: Syslog Tutorial: How It Works, Examples, Best Practices, and More – Stackify
NXLog bsd info: https://nxlog.co/documentation/nxlog-user-guide/xm_syslog.html

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.