Tag: MonitorWare Agent

2003-02-25 MonitorWare Agent 1.2

MonitorWare Agent 1.2

  • New Scaleable Filterengine -The new filter engine as very powerful, you can build complex filter conditions like known from Microsoft Network Monitor. A note for existing MonitorWare Agent Users. After update, you have to start the MWAgent Client first. This is important, because it will automatically import your existing filters into the new Filter system. If you are new to this kind of filtering, I recommend that you read the Filter Conditions part of the manual before you start to play with the filters. Continue reading “2003-02-25 MonitorWare Agent 1.2”

2003-02-24 MonitorWare Agent 1.2 Final Released

MonitorWare Agent 1.2 Final Released

Adiscon today announced the immediate availability of MonitorWare Agent 1.2 Final. This version has a new powerful Filter-Engine which allows you to build very complex Filters like known from Microsoft Network
Monitor. For more details see below.  Continue reading “2003-02-24 MonitorWare Agent 1.2 Final Released”

2003-02-04 MonitorWare Agent 1.2 Beta 1 Released

MonitorWare Agent 1.2 Beta 1 Released

Adiscon today announced the immediate availability of MonitorWare Agent 1.2 Beta 1.

This version has a new powerful Filter-Engine which allows you to build very complex Filters like known from Microsoft Network Monitor. For more details see below.  Continue reading “2003-02-04 MonitorWare Agent 1.2 Beta 1 Released”

How can I forward IIS logs to a syslog deamon?

How can I forward IIS logs to a syslog deamon?

Created on 2002-10-04 by Rainer Gerhards.

MonitorWare Agent can forward Microsoft Internet Information Server (IIS) log files to any syslog deamon (or syslo server, if you like). Fortunately, IIS stores web log files as plain text files in the file system. Even better, other processes are allowed to read these files while IIS adds information to them. This enables MonitorWare Agent to forward them in near real-time.

MonitorWare Agent’s file monitor is optimized to pick up application log files. This includes IIS log files. Specific logic enables it to gather only the valid part of the currently being written log file (IIS writes files in 64K increments and there is garbage after the valid log data lines). Special replacement characters inside the file name allow to handle changing file names, so monitoring even works while rolling over to new names.

To activate log forwarding, create one file monitor per IIS log file to monitor. Be sure to use the proper replacement characters if IIS modifies the log file name (by default, it includes the day of month). Details on them can be found in the manual. Then be sure to send all file lines to a rule base that has syslog forwarding enabled. There is a sample in the Step-By-Step Guides inside the manual.

IIS log file data is like any other event data in MonitorWare Agent. So it can not only be forwarded by syslog but also be filtered, acted on, alerts generated and so on. Another possible approach is to generate alerts if specific attack patterns show up in the logs. As long as the pattern is known and can be seen in the log file line, this can easily be configured.

Just a reminder: besides IIS, all other text logs can be processed. Prominent examples include the DHCP log or database message log files.

How to setup MonitorWare Products to use MySQL as database?

How to setup MonitorWare Products to use MySQL as database?

Created on 2002-08-09 by Andre Lorbach.

To use a MySQL Database with WinSyslog, EventReporter or MonitorWare Agent, you need to install some components (If you haven’t) first. Go to http://www.mysql.com/downloads/index.html. If you don’t have any MySQL Server, download MySQL-3.23.5 for Windows for example (Or a newer version if there is one).

Most important, you need to download an install the ODBC Drivers (myodbc-2.50 for example) for MySql. This is needed, because WinSyslog will use a ODBC-Driver for MySQL to access the database.

Note: If you are upgrading from MonitorWare Agent 1.x to 2.x, you would need to creat the SystemEventsProperties table. If you are upgrading from 4.x to 5.x or higher you would need to create the SystemEventsProperties table. Similarly if you are upgrading from 5.x (or any other previous version) to 6.x or higher you would need to create the SystemEventsProperties table.

1. On your MySQL Server, create a new database. The script below shows you an example:

CREATE database MyWinSyslog;
CREATE table SystemEvents
(
ID int IDENTITY (1, 1) NOT NULL,
SystemID int,
ReceivedAt datetime,
DeviceReportedTime datetime,
Facility int,
Priority int,
FromHost nvarchar (60),
Message text,
NTSeverity int,
Importance int,
EventSource nvarchar (60),
EventUser nvarchar (60),
EventCategory int,
EventID int,
EventBinaryData text,
CurrUsage int,
MinUsage int,
MaxUsage int,
MaxAvailable int,
InfoUnitID int,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
Checksum int NULL,
CustomerID int
);

CREATE table SystemEventsProperties
(
ID int IDENTITY (1, 1) NOT NULL ,
SystemEventID int NULL ,
ParamName varchar (255) NULL ,
ParamValue text NULL
);

GRANT ALL MyWinSyslog.* To “database username@YourDNS or machine ip” IDENTIFIED BY”YourPassword”;

2. After you install the ODBC components, you will need to add a new ODBC System DSN. See the screenshot below which shows you the first step of the Wizard:

3.The screenshot below shows how all values could be filled in. But this depends on your configuration and names:

4. Now configure a Database Logging action in WinSyslog. In the Screenshot below, I used the values I specified before.

I have an invalid source in my received syslog message – what to do?

I have an invalid source in my received syslog message – what to do?

Created on 2002-03-17 by Rainer Gerhards.

If I look at the received syslog message source system, I see invalid names like “su”, “root” and the like. These correspond to some part of the syslog message. In any case, it is not the real system name. What can I do to receive the correct name?

The problems stems from non syslog-RFC compliant systems. The syslog service does RFC compliant message parsing. Unfortunately, many existing systems are not compliant to the syslog RFC and format the message other then specified. As such, the syslog service picks up an invalid source system – simply because invalid information is where the source system should be.

Fortunately, the syslog server can be instructed to ignore the source system in the syslog message. This is the defaut mode for all installations after 2002-03-20. This is done with the “Take source system from syslog message”. If that check box is checked, the source is taken from the message as specified in the syslog RFC. If it is unchecked, it is determined based on the sending system.

Adiscon’s experience is that as of this writing only a limited number of systems support RFC compliant message formatting, so we recommend to uncheck this option.

2002-03-01 MonitorWare Agent 1.0 Final

MonitorWare Agent 1.0 Final

Release Date: 2002-03-01

Final, officially supported release.

352-001 Exam   ,
1z0-434 dumps   ,
OG0-091 Study Guides   ,
9A0-385 exam   ,
2V0-621D dumps   ,
9L0-012 exam   ,
70-346 test   ,
70-346 certification   ,
SY0-401 pdf   ,
JK0-022 pdf   ,
101 certification   ,
000-080 Study Guides   ,
810-403 test   ,
74-678 test   ,
70-178 pdf   ,
700-501 test   ,
70-486 certification   ,
ADM-201 certification   ,
9A0-385 test   ,
70-270 exam   ,
2V0-620 test   ,
70-410 dumps   ,
70-480 pdf   ,
210-065 dumps   ,
70-413 pdf   ,
70-246 Exam   ,
1Z0-804 Brain dumps   ,
70-243 pdf   ,
SY0-401 pdf   ,
9A0-385 certification   ,
70-243 Study Guides   ,
1Z0-051 dumps   ,
1Z0-060 pdf   ,
070-461 dumps   ,
70-461 dumps   ,
350-080 pdf   ,
70-178 certification   ,
640-692 dumps   ,
400-201 certification   ,
1Z0-051 pdf   ,
1z0-808 pdf   ,
70-462 dumps   ,
NSE4 certification   ,
NSE4 dumps   ,
300-320 test   ,