Tag: FAQ

How can I extend MonitorWare Database?

How can I extend MonitorWare Database?

Created 2003-10-21 by Wajih-ur-Rehman

How can I extend MonitorWare Database?

You can create new fields and tables by appending u- before the names. This way the names of your custom fields and tables will never conflict with our fields and table names respectively since we will never add a field or a table name starting with u- but as of now we don’t support these custom fields and custom tables with any of our products.

If you could post the answers to the following questions on support@adiscon.com, perhaps we would be able to add your requested feature in the next releases of our products:

  1. What exactly are you looking for?
  2. Why exactly do you want to extend the database?

Your input in this regard would be greatly appreciated.

How can I forward IIS logs to a syslog deamon?

How can I forward IIS logs to a syslog deamon?

Created on 2002-10-04 by Rainer Gerhards.

MonitorWare Agent can forward Microsoft Internet Information Server (IIS) log files to any syslog deamon (or syslo server, if you like). Fortunately, IIS stores web log files as plain text files in the file system. Even better, other processes are allowed to read these files while IIS adds information to them. This enables MonitorWare Agent to forward them in near real-time.

MonitorWare Agent’s file monitor is optimized to pick up application log files. This includes IIS log files. Specific logic enables it to gather only the valid part of the currently being written log file (IIS writes files in 64K increments and there is garbage after the valid log data lines). Special replacement characters inside the file name allow to handle changing file names, so monitoring even works while rolling over to new names.

To activate log forwarding, create one file monitor per IIS log file to monitor. Be sure to use the proper replacement characters if IIS modifies the log file name (by default, it includes the day of month). Details on them can be found in the manual. Then be sure to send all file lines to a rule base that has syslog forwarding enabled. There is a sample in the Step-By-Step Guides inside the manual.

IIS log file data is like any other event data in MonitorWare Agent. So it can not only be forwarded by syslog but also be filtered, acted on, alerts generated and so on. Another possible approach is to generate alerts if specific attack patterns show up in the logs. As long as the pattern is known and can be seen in the log file line, this can easily be configured.

Just a reminder: besides IIS, all other text logs can be processed. Prominent examples include the DHCP log or database message log files.

How to setup MonitorWare Products to use MySQL as database?

How to setup MonitorWare Products to use MySQL as database?

Created on 2002-08-09 by Andre Lorbach.

To use a MySQL Database with WinSyslog, EventReporter or MonitorWare Agent, you need to install some components (If you haven’t) first. Go to http://www.mysql.com/downloads/index.html. If you don’t have any MySQL Server, download MySQL-3.23.5 for Windows for example (Or a newer version if there is one).

Most important, you need to download an install the ODBC Drivers (myodbc-2.50 for example) for MySql. This is needed, because WinSyslog will use a ODBC-Driver for MySQL to access the database.

Note: If you are upgrading from MonitorWare Agent 1.x to 2.x, you would need to creat the SystemEventsProperties table. If you are upgrading from 4.x to 5.x or higher you would need to create the SystemEventsProperties table. Similarly if you are upgrading from 5.x (or any other previous version) to 6.x or higher you would need to create the SystemEventsProperties table.

1. On your MySQL Server, create a new database. The script below shows you an example:

CREATE database MyWinSyslog;
CREATE table SystemEvents
(
ID int IDENTITY (1, 1) NOT NULL,
SystemID int,
ReceivedAt datetime,
DeviceReportedTime datetime,
Facility int,
Priority int,
FromHost nvarchar (60),
Message text,
NTSeverity int,
Importance int,
EventSource nvarchar (60),
EventUser nvarchar (60),
EventCategory int,
EventID int,
EventBinaryData text,
CurrUsage int,
MinUsage int,
MaxUsage int,
MaxAvailable int,
InfoUnitID int,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
Checksum int NULL,
CustomerID int
);

CREATE table SystemEventsProperties
(
ID int IDENTITY (1, 1) NOT NULL ,
SystemEventID int NULL ,
ParamName varchar (255) NULL ,
ParamValue text NULL
);

GRANT ALL MyWinSyslog.* To “database username@YourDNS or machine ip” IDENTIFIED BY”YourPassword”;

2. After you install the ODBC components, you will need to add a new ODBC System DSN. See the screenshot below which shows you the first step of the Wizard:

3.The screenshot below shows how all values could be filled in. But this depends on your configuration and names:

4. Now configure a Database Logging action in WinSyslog. In the Screenshot below, I used the values I specified before.

I have an invalid source in my received syslog message – what to do?

I have an invalid source in my received syslog message – what to do?

Created on 2002-03-17 by Rainer Gerhards.

If I look at the received syslog message source system, I see invalid names like “su”, “root” and the like. These correspond to some part of the syslog message. In any case, it is not the real system name. What can I do to receive the correct name?

The problems stems from non syslog-RFC compliant systems. The syslog service does RFC compliant message parsing. Unfortunately, many existing systems are not compliant to the syslog RFC and format the message other then specified. As such, the syslog service picks up an invalid source system – simply because invalid information is where the source system should be.

Fortunately, the syslog server can be instructed to ignore the source system in the syslog message. This is the defaut mode for all installations after 2002-03-20. This is done with the “Take source system from syslog message”. If that check box is checked, the source is taken from the message as specified in the syslog RFC. If it is unchecked, it is determined based on the sending system.

Adiscon’s experience is that as of this writing only a limited number of systems support RFC compliant message formatting, so we recommend to uncheck this option.

How to configure Cisco products for logging?

How to configure Cisco products for logging?

Created on 2001-01-13 by Rainer Gerhards.

All Cisco products we know support logging to a syslog host like WinSyslog. This article covers all devices that use IOS (e. g. routers and switches).

Syslog logging needs both to be configured as well as turned on. To configure, you must be in enable mode (see your Cisco documentation on how to enter enable mode). Then switch to configuration mode (the command is “configure terminal” or “conf t” as abbreviation). First of all, you need to specify the syslog host that the messages should be send to. This is the name or IP address of the system WinSyslog is running on. Though a DNS-resolvable name can be used, we strongly recommend using the IP address directly. If your machine has the address “195.123.45.6” then the command is “logging 195.123.45.6”. Next, logging needs to be turned on. This command is “logging on”. Then exit from configuration mode and save the new configuration.

This setting enables syslog logging for common messages (e. g. router configuration and startup). If you would like to have traffic-related logging activated, you need to create traffic filter rules that specify the “log” option and apply them to the interface you are interested in.

More and detailed information can be found at Cisco’s web site under the “logging” command. Please note: this link is to one of Cisco’s product documentation areas. You might want to search the Cisco site to find information specific to the product (router, switch, firewall, etc.) you are using.

Have your logs consolidated but it’s too complicated to review them or create reports? Take a look at MonitorWare Console!

With MonitorWare Console you can not only review your stored log data. You can automatically create reports for Windows events and PIX firewall logs and let them be sent via e-mail and much more.

Take a Quick Tour to MonitorWare Console to know more about its exciting features or directly download the free and full-featured 30 day trial version.