14.6.2 Configuring the Syslog Client

Start another instance of Ascolog Insight. This instance will be used as syslog client which converts Microsoft Windows® event log records to the syslog format and sends them to the syslog server. You have to load the eventlog2syslog layout. The file “eventlog2syslog_service.xml” is located in the “eventlog” folder which is a sub-folder of the “LAYOUTS” folder. A text box as shown in figure Service layout warning might appear that informs you that the eventlog2syslog layout is not recommended for normal operation. You can confirm the dialog by pressing the OK button.

Service layout warning
Service layout warning

In the eventlog2syslog layout the custom columns definition should already be correctly configured. More information about custom columns definition can be found in the chapter Custom Columns Definitions. In order to check or correct these settings open the Custom Columns Definition editor and modify the layout's custom columns definition (menu Tools, command Custom Columns Definition...). In the editor go to the Edit menu and select Defines... to open the Defines dialog. By default the eventlog2syslog layout's defines should be configured as shown in example Define settings.

USE_BASE_MACROS=1
USE_ALL_MACROS=0
USE_FULLROW_COLUMN=1
USE_UID_COLUMN=1
USE_NEWDATA_COLUMN=0
USE_SYSLOG_COLUMNS=1
USE_NEWREC_COLUMN=1

Define settings

You must also add the custom columns definition files shown in example Required custom columns definition files to the layout's main custom column definition file (“eventlog.cdf” by default) by using the #include directive. The define settings above ensure that the required columns (e.g. the syslog columns) and commands (e.g. the commands which convert some event log columns to syslog columns) are available in the included custom columns definition files shown in example Required custom columns definition files.

#include <basemacros.cdf>
#include <basecolumns.cdf>
#include <eventlog_basecolumns.cdf>
#include <eventlog_syslog.cdf>;

Required custom columns definition files

The “eventlog_syslog.cdf” file is listed in example "eventlog_syslog.cdf" file. It converts the information of event log columns (e.g. TYPE) to the format expected by syslog (e.g. SYSLOG_PRI).

#pragma once
 
#if USE_SYSLOG_COLUMNS == 1
 
#include <basemacros.cdf>
 
// 0 Emergency: system is unusable
// 1 Alert: action must be taken immediately
// 2 Critical: critical conditions
// 3 Error: error conditions
// 4 Warning: warning conditions
// 5 Notice: normal but significant condition
// 6 Informational: informational messages
// 7 Debug: debug-level messages  
SYSLOG_PRI = add("128", map(TYPE, "0", "Information", "6", "Warning", "4", "Error", "3"));
 
SYSLOG_TIMESTAMP = fmt("%sT%s.%sZ",
    xtr(ISO_TIMESTAMP, "", "[^ ]+", ""
),
    xtc(ISO_TIMESTAMP, " ", "[^,]+", ""),
    xtc(ISO_TIMESTAMP, ",", ".+", ""));
 
SYSLOG_APPNAME = rpl(_SOURCE, "\"", "", "[^a-zA-Z0-9_]", "_");
 
#endif
"eventlog_syslog.cdf" file

Besides the configuration settings you also have to schedule the search, refresh and convert task. In the eventlog2syslog layout they should already be scheduled in the appropriate way. However, if they are not you must schedule them yourself. Open the Tools menu and configure the tasks as shown in the Scheduled Tasks dialog in figure Scheduled Tasks dialog for eventlog2syslog layout. The “.” refers to the data folder of Ascolog Insight. How to schedule tasks is described in detail in 9 Task Scheduling.

The refresh task is directly configured in the Scheduled Tasks dialog (check boxes at the bottom). The configuration of the search task is a little bit more complex. Select the search task and press the Edit button. This will open the Schedule Find in Files dialog. In this dialog you must specify the path to the “eventlog.ini” file in the Look In field.

Scheduled Tasks dialog for eventlog2syslog layout
Scheduled Tasks dialog for eventlog2syslog layout

Then select the convert task and press Edit to open the Schedule Convert Logfile dialog shown in figure Schedule Convert Logfile dialog. In the File name edit control you must specify the location of the “syslog.ini” file because the syslog server is the destination of the conversion. The Encoding field must be set to SYSLOG. The Record definition defines what columns will be sent to the syslog server. Remember that the conversion of event log information to syslog information is done in the custom columns definition (see example "eventlog_syslog.cdf" file). The convert task's configuration is also available as persistent record definition. The definition has the name SYSLOG.

Schedule Convert Logfile dialog
Schedule Convert Logfile dialog

The syslog client is now ready to use because the eventlog2syslog layout and the default “eventlog.ini” and “syslog.ini” already provide the right settings for a localhost installation. example "Syslog.ini" file which configures the client/sender shows the default settings for the syslog client (section SYSLOG_SENDER). The client will send syslog messages to the port 514 of the localhost (=IP address 127.0.0.1:514).

[SYSLOG_SENDER]
address = 127.0.0.1:514
send_delay = 0

"Syslog.ini" file which configures the client/sender

If you are running the server and the client on the same computer as in the sample of this chapter you will have only one “syslog.ini” file which configures both the syslog client and the syslog server but in different sections (SYSLOG_SENDER respectively SYSLOG_RECEIVER). If you are running the syslog server and the syslog client on two different computers you have to configure two different “syslog.ini” files, one on each computer.

The “eventlog.ini” specifies how to access the local event logs. The default settings are shown in example "Eventlog.ini" file which configures how to access the event logs.

[EVENTLOG]
sourcename = Application
; sourcename = System
max_records = 1000

"Eventlog.ini" file which configures how to access the event logs

If the scheduled tasks are correctly configured you must enable them if they are not enabled yet. Open the Tools menu and select Enable Scheduled Tasks. Task scheduling is enabled if the Enable Scheduled Task command is displayed in a light gray font.

If everything is correct the path to the “eventlog.ini” file is displayed in the Files window and the status is Loaded.