Converting multi-line logs messages from windows events to single lines on client side

Hello,

I use syslog-ng PE 6.0.19 on a windows server 2016 edition to send windows event logs to a remote syslog-ng server.

The remote syslog-ng server is a community edition version 3.5.6 running on CentOS 7 OS.

I cannot modify the version of the remote syslog-ng server.

I need to receive the logs from the windows machine in one line for parsing reasons.

I have tried the flags(no-multi-line) option and several things (https://support.oneidentity.com/fr-fr/syslog-ng-premium-edition/kb/283190/converting-multi-line-logs-messages-from-windows-events-to-single-lines?kblang=en-US) in server side configuration but it doesn't work.

I cannot figure out how to activate a no-multi-line option on the windows machine for the windows event logs.

Can you help me?

Best regards,

Parents Reply Children
  • Good morning Vincent,

    Justin VanAusdall here with One Identity support.

    You will want to set the flags(no-multi-line) in the destination statement on the Windows host as converting logs into a single line using the flags(no-multi-line) is not available for network sources in the Open Source Edition (OSE). Within the OSE only the file() and pipe() sources support flags(no-multi-line) which is why this not working.

    Your destination statement on the Windows host should look similar to the following:

    destination d_example {
            syslog(
                    "10.10.10.10"
                    transport("tcp")
                    port(6514)
                    flags(no-multi-line)
            );
    };

    Once done you should have the logs coming into the OSE host as a single line.

    If you have any other questions whatsoever please do not hesitate to reach out.

    Thank you so much, Vincent, and have a great rest of your day!

    Best Regards,
    Justin VanAusdall
    Enterprise Technical Support Advisor
    One Identity

  • Dear Justin,

    Thank you very much for your answer.

    Can you tell where are the configuration files on the windows host to let me configure the destination ?

    Today, I do the configuration following the windows host adminstration guide:

    https://support.oneidentity.com/fr-fr/technical-documents/syslog-ng-premium-edition/6.0.14/administrator-guide-for-syslog-ng-agent-for-windows/3#TOPIC-1085235

    Vincent

  • Hello Vincent,

    The Syslog-ng Agent for Windows, unfortunately, does not have the ability to remove the multi-line before sending the logs.

    Since you are sending Agent -> Syslog-ng server, your best option would be to use the flags(no-multi-line) on the destination on the OSE server.

    If you are writing the Windows logs locally to the OSE server using the file() option you would put the option in that destination statement on the OSE server similar to the following:

    destination d_example {
            file(
                    "/var/log/example.log"
                    create-dirs(yes)
                    flags(no-multi-line)
            );
    };

    If you are sending your logs from the OSE server to another location, you would place the flags(no-multi-line) in that destination statement similar to the following:

    destination d_example {
            syslog(
                    "10.10.10.10"
                    transport("tcp")
                    port(6514)
                    flags(no-multi-line)
            );
    };

    Hopefully, this helps to get this working for you, if you continue to have issues let us know as we would be more than happy to assist further.

    Best Regards,
    Justin VanAusdall
    Enterprise Technical Support Advisor
    One Identity

  • Dear Justin,

    I have tried this solution server side and it doesn't work.

    here my configuration:

    source s_windows_test {
       network(ip(%%server_host%%) port(6514) max_connections(500)
         transport("tls")
            tls( %%mutual authentification configuration%%)
         )
       );
    );
    
    destination d_windows_facility {
        file("/var/log/$HOST/$FACILITY.log"
            owner("splunk")
            group("root")
            perm(0460)
            create_dirs(yes)
            dir_owner("splunk")
            dir_group("root")
            dir_perm(0570)
            flags(no-multi-line)
        );
    };
    
    filter f_windows_test_host {
        host(windows-test); #this is the hostname of the windows client
    };
    
    log {
        source(s_windows_test)
        filter(f_windows_test_host)
        destination(d_windows_facility)
    };

    I have to precise that the OSE server is in 3.5.6, compiled Dec 30th 2015 at 19:57:24 with availale-modules: affile, afprog,afsocket-notls,afsocket-tls,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source

    Best regards,

    Vincent

  • Good morning Vincent,

    I am going to do some testing in my labs today, I will respond to you shortly with updates.

    Thank you so much and have a great day!

    Best Regards,
    Justin VanAusdall
    Enterprise Technical Support Advisor
    One Identity

  • Dear Justin,

    Did you success to received one-line messages from windows agent in you lab?

    regards