Authentication oddity with eventlog daemon

As of January 2012, Logalot is now part of Scrutinizer v9. Your Logalot license is now a Scrutinizer license. Contact support with questions.

Moderators: scottr, Moderator Team

User avatar
Site Admin
Posts: 149
Joined: Tue Nov 29, 2005 11:36 am

Re: Authentication oddity with eventlog daemon

Post by jghidoni » Fri Oct 02, 2009 4:37 pm

Hello Gene,

What happens is that the eventlog collection daemon first tries to authenticate to the server with the default credential that the daemon is running as. This is a limitation of the programming libraries that we use to build the eventlog daemon on.

The simplest way to avoid this would be to "push" the eventlogs from any servers that this occurs on.

To "push" eventlogs from a server to Logalot, you first install the eventlogd.exe agent on the Windows server you will be pushing the logs from. Place the eventlogd.exe file in the root directory of the c: drive. Get the latest eventlogd.exe from your Logalot server's soe\cgi-bin\ directory.

Next a configuration file must be created to tell the daemon to send new events to the remote Logalot server. The configuration file is called logalot.ini and also must be in the root directory of the c: drive of the "pushing" Windows server.

The file may consist of separate name/value parameters:

* host is the ip address of the Logalot server
* tcp port is the port used by mysql on the Logalot server
* log= enter the logfile names that you want to push the logs from.

Now install the eventlog daemon as a service by running:

eventlogd.exe -install_svc

This will load the eventlog policies from Logalot to this server and process the policies locally. The added benefit to this process is that if you have any 'delete' policies, then those logs do not get sent to Logalot, they are filtered out right there on the Windows server.

- Joanne


Who is online

Users browsing this forum: No registered users and 1 guest