SYSLOG Output Format Examples

Log Parser

previous page next page

SYSLOG Output Format Examples

Export System Event Log

Export events from the System event log to a Syslog server and to a local file: 
SELECT TimeGenerated,
       CASE SourceName
         WHEN 'EventLog' THEN 'mark'
         WHEN 'Service Control Manager' THEN 'daemon'
         WHEN 'Print' THEN 'lpr'
         WHEN 'Kerberos' THEN 'auth'
         WHEN 'NETLOGON' THEN 'logaudit'
         WHEN 'Application Popup' THEN 'local7'
         ELSE 'local0'
       END AS MyFacility,
       CASE EventTypeName
         WHEN 'Error event' THEN 'err'
         WHEN 'Warning event' THEN 'warning'
         WHEN 'Information event' THEN 'info'
         ELSE 'info'
       END AS MySeverity,
       ComputerName,
       STRCAT(SourceName, ':'),
       Message
INTO @MYSERVER04,Log.txt
FROM System
This query can be executed with the following command: 
LogParser file:MyQuery.sql -o:SYSLOG -facility:$MyFacility -severity:$MySeverity -hostName:$ComputerName
The output will look like the following sample: 
<46>Apr 18 18:48:04 MYSERVER-M LogParser:EventLog: The Event log service was started. 
<30>Apr 18 18:48:27 MYSERVER-M LogParser:Service Control Manager: The Telephony service entered the running state. 
<46>Apr 18 18:51:37 MYSERVER-M LogParser:EventLog: The Event log service was stopped. 
<134>Apr 18 19:20:23 MYSERVER-M LogParser:Ati HotKey Poller: The service was started. 
<46>Apr 18 19:20:07 MYSERVER-M LogParser:EventLog: The Event log service was started. 
<30>Apr 18 19:20:47 MYSERVER-M LogParser:Service Control Manager: The Telephony service entered the running state. 
<46>Apr 18 19:33:17 MYSERVER-M LogParser:EventLog: The Event log service was stopped. 
<134>Apr 19 07:01:57 MYSERVER-M LogParser:Ati HotKey Poller: The service was started. 
<46>Apr 19 07:01:41 MYSERVER-M LogParser:EventLog: The Event log service was started. 
<30>Apr 19 07:02:07 MYSERVER-M LogParser:Service Control Manager: The Telephony service entered the running state.

IIS Log Error Entries

Send error entries in the IIS log to a Syslog server: 
SELECT TO_TIMESTAMP(date, time),
       CASE sc-status
         WHEN 500 THEN 'emerg'
         ELSE 'err'
       END AS MySeverity,
       s-computername AS MyHostname,        
       cs-uri-stem,
       sc-status
INTO @MYSERVER04
FROM <1>
WHERE sc-status >= 400
This query can be executed with the following command: 
LogParser file:MyQuery.sql -o:SYSLOG -facility:logalert -severity:$MySeverity -hostName:$MyHostname -processName:IIS:
The messages will look like the following samples: 
<115>Nov 18 00:28:43 MYSERVER04 IIS:/images/tibg.gif 404
<115>Nov 18 00:28:44 MYSERVER04 IIS:/aa.css 404
<115>Nov 18 00:28:59 MYSERVER04 IIS:/images/tibg.gif 404
<115>Nov 18 00:29:00 MYSERVER04 IIS:/aa.css 404
<115>Nov 18 00:29:01 MYSERVER04 IIS:/images/tibg.gif 404
<115>Nov 18 00:29:02 MYSERVER04 IIS:/images/tibg.gif 404
<115>Nov 18 00:29:04 MYSERVER04 IIS:/gorice/rulesinfo.nsf 403
<115>Nov 18 00:29:05 MYSERVER04 IIS:/_vti_inf.html 404
<112>Nov 18 00:29:05 MYSERVER04 IIS:/_vti_bin/shtml.dll 500
<115>Nov 18 00:31:51 MYSERVER04 IIS:/na/index.html 404

© 2004 Microsoft Corporation. All rights reserved.

previous page start next page