LogLady User manual - HC Mingham
Contents
1. The HEADER contains two fields called the TIMESTAMP and the HOSTNAME The TIMESTAMP will immediately follow the trailing from the PRI part and single space characters MUST follow each of the TIMESTAMP and HOSTNAME fields HOSTNAME will contain the hostname as it knows itself If it does not have a hostname then it will contain its own IP address If a device has multiple IP addresses it has usually been seen to use the IP address from which the message is transmitted An alternative to this behavior has also been seen In that case a device may be configured to send all messages using a single source IP address regardless of the interface from which the message is sent This will provide a single consistent HOSTNAME for all messages sent from a device The TIMESTAMP field is the local time and is in the format of Mmm dd hh mm ss without the quote marks where Mmm is the English language abbreviation for the month of the year with the first character in uppercase and the other two characters in lowercase The following are the only acceptable values Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec dd is the day of the month If the day of the month is less than 10 then it MUST be represented as a space and then the number For example the 7th day of August would be represented as Aug 7 with two spaces between the g and the 7 hh mm ss is the l2. Edit Rules B forward windows MES Pi dump wince idi ce ok download 65 Match IP Address v Faciity iv Severity wince Message Contains C Match contents using Regexp Hostname Action Discard message iv Enabled Add Modify Rule Clear All Delete Rule Every message that arrives containing wince will be removed It will not appear in the log Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady 10 9 Save all Warning or higher messages to a database Create a rule with an appropriate name e g write to db Set the severity to Warning or greater Set the action to Write to database Enter an appropriate SQL statement to write the entry A a S Edit Rules forward windows ae Ping write to db dump wince ok download 62 Match IP Address v Failty Warning or Higher iv Severity Message Contains C Match contents using Regexp Hostname Action Save to Database iv SQL Statement INSERT INTO log VALUES msq Enabled Add Modify Rule Clear All Delete Rule You must have previously set up the database connection in Rules gt Database settings AND created the database table named log in this example You will need some database knowledge to do this Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com page 38 of 52 Log
3. LogLady page 34 of 52 10 3 Put some Linux Syslog messages in the Windows Event Log We assume that a Linux server is set to send syslog messages to LogLady We have decided that we want all messages generated by the mt daapd program running on the Linux system to be copied to the Windows Event Log The message received may look something like this mt daapd 3834 Session 11 Streaming file 17 The Cure A Night Like This mp3 to 123 123 123 123 offset 0 Select Rules gt Edit Rules create a rule called mt daapd Edit Rules r N forward windows 29 Ping mt daapd dump wince ok download sea Match IP Address v Facility p Severity mt daapd Message Contains C Match contents using Regexp Hostname Action Copy to Windows Event log Enabled Add Modify Rule Clear All Delete Rule Enter mt daapd as the string that the message must contain You may also enter the IP address to the Linux system to further restrict the selection if required Set the action to Copy to Windows Event Log Press Add Modify Rule Press OK to save the change Now whenever a message that contains mt daapd arrives the message is copied into the Windows Event Log Application section with the event source loglady 10 4 Send me an e mail when a linux system is rebooted To do this we need to match a message that is sent when the Linux system starts a
4. This option is checked when it is active 6 2 5 5 Edit Ping List Monitors menu Use this command to show the Edit Ping List dialog The dialog controls which network addresses are monitored 6 2 5 6 Phone Calls Monitors menu Use this command to tell LogLady that it should watch any attached modems for phone calls If the modem is capable of reporting the phone number being used that is included too The event is logged as a syslog message This option is checked when it is active 6 2 5 7 SNMP Traps Monitors menu Use this command to tell LogLady that it should watch for SNMP traps the event is logged as a syslog message This option is checked when it is active 6 2 6 Help Menu The Help menu offers the following commands About LogLady Show information on LogLady Help Topics Show an index of help topics Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady 7 Monitors page 23 of 52 Monitors are used by LogLady to generate syslog messages for events from various sources This powerful feature means that many sources of log messages can be merged Syslog messages Windows Event Log messages and messages from textual log files can all be viewed in sequence using LogLady Messages generated by monitors can be filtered sorted and acted on using Rules These are the currently supported types of Monitor Eventlog Files Folders Ping Network Device Phone Calls
5. that used in the PRI and HEADER parts In this code set the only allowable characters are the ABNF VCHAR values d33 126 and spaces SP value d32 However no indication of the code set used within the MSG is required nor is it expected Other code sets MAY be used as long as the characters used in the MSG are exclusively visible characters and spaces Similar to those described above The selection of a code set used in the MSG part SHOULD be made with thoughts of the intended receiver A message containing characters in a code set that cannot be viewed or understood by a recipient will yield no information of value to an operator or administrator looking at it I The MSG part has two fields known as the TAG field and the CONTENT field The value in the TAG field will be the name of the program or process that generated the message The CONTENT contains the details of the message This has traditionally been a freeform message that gives some detailed information of the event The TAG is a string of ABNF alphanumeric characters that MUST NOT exceed 32 characters Any non alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field Most commonly the first character of the CONTENT field that signifies the conclusion of the TAG field has been seen to be the left square bracket character a colon character or a space character This is exp
6. Event Log Monitoring Files Folders Enable Disable File Folder Monitoring Edit File Folder List Edit the list of Files Folders to monitor Ping Network Devices X Enable Disable Ping Monitoring Edit Ping List Edit the list of Network Addresses to monitor Phone Calls Enable Disable Phone Call Monitoring SNMP Traps Enable Disable SNMP Trap Monitoring Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 22 of 52 6 2 5 1 Event Log Monitors menu Any messages logged to the local Windows Event Log should be treated as though they were sent as Syslog messages This allows Windows and Syslog messages to be viewed at the same time and also means that the Windows messages can be filtered sorted and acted on using Rules This option is checked when it is active 6 2 5 2 Files Folders Monitors menu Use this command to tell LogLady that it should watch a list of folders and or files for modifications When modifications are made the event is logged as a syslog message This option is checked when it is active 6 2 5 3 Edit File Folder List Monitors menu Use this command to show the Edit List of Files and Folders to Monitor dialog The dialog controls which files and or folders are monitored 6 2 5 4 Ping Network Devices Monitors menu Use this command to tell LogLady that it should watch a list of network addresses for changes When changes are observed the event is logged as a syslog message
7. Mingham Smith Ltd The author THE SOFTWARE IS PROVIDED AS IS AND WITHOUT WARRANTY OF ANY KIND EXPRESS IMPLIED OR OTHERWISE INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATAOR PROFITS WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE AND ON ANY THEORY OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE You must accept the agreement and press Next to proceed Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 6 of 52 ie Setup LogLady V1 7 Information Please read the following important information before continuing When you are ready to continue with Setup click Next LogLady V1 7 Release Notes December 2005 Copyright C 2005 H C Mingham Smith Ltd such as router printers Linux server etc It should work on any version of Windows from Windows 95 and NT 3 51 onwards Full details are in the Help file Press Next 1 amp Setup LogLady V1 7 Where should LogLady V1 7 be installed e Setup will install LogLady V1 7 into the following folder To continue click Next If you would like to select a different folder click Browse D Program Files LogLady At least 1 2 MB of free d
8. Pressing the advanced button allows the trap s details to be changed SNMP Trap Parameters Trap Details public Community 6 Generic type 1361410 mu Sender s OID a Specific Type String Variable 11 3 6 1 4 1 0 omp 9 2 2 E Mail The E mail action has default parameters set in the E Mail settings dialog box These may be changed for each rule by pressing the advanced button E Mail Parameters E loglady subject Subject Some text Text Include Syslog Message Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 30 of 52 9 3 Special string options For some Actions the contents of the Message can be used to make the Action more informative The Message Box Run Program advanced SNMP Trap string and Write to Database Actions have associated values that can be modified with the Message contents The following values are replaced with information extracted from the message that triggered the Action facility Is replaced with the facility E g NTP hostname Is replaced with the hostname ipaddr Is replaced with the IP Address severity Is replaced with the severity E g Warning recvtime Is replaced with the time the message was received recvstdtime Is replaced with the time the message was received the time is yyyy mm dd hh mm ss UTC msg Is replaced with the text of the message all Is replaced by a combination of all of the above 9 3 1 Exampl
9. address to request bank account details E mail address support mingham smith com 3 By Credit Card We have arrangements with mycommerce com who provide on line credit card registration for LogLady To register online click on the link Buy LogLady Invoices If your company requires an invoice before sending payment please e mail us at support mingham smith com or post your purchase order to the above address Charges for registering your use of LogLady are based on the number of computers on which it is installed and are detailed on the registration forms which customers are requested to complete Prices are quoted in US dollars Euros and Sterling Customers outside the US or European Union are requested to convert the US dollar prices to the equivalent amount in their local currency Please note that receipts are normally sent via e mail If you require a receipt to be sent by post or a license to be issued please request this when registering 4 Our Company Details HC Mingham Smith Limited Registered in England No 3676999 Registered Office TSB House 39A Peach Street Wokingham Berks RG40 1XJ VAT Registration Number 642 4733 43 LogLady Registration Form Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 50 of 52 For customers outside the European Union UK VAT Value Added Tax does not apply to customers outside the European Union The following prices are given in
10. allow unsolicited syslog messages through to LogLady Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 47 of 52 Open the firewall control panel Make sure the settings are set like this Windows Firewall Windows Firewall helps protect your computer by preventing unauthorized users from gaining access to your computer through the Intemet or a network Q oa This setting blocks all outside sources from connecting to this computer with the exception of those selected on the Exceptions tab C Dont allow exceptions Select this when you connect to public networks in less secure locations such as airports You will not be notified when Windows Firewall blocks programs Selections on the Exceptions tab will be ignored Qo Off not recommended Avoid using this setting Tuming off Windows Firewall may make this computer more vulnerable to viruses and intruders What else should know about Windows Firewall Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 48 of 52 On the Exception tab click on Add Port Windows Firewall General Exceptions Advanced Windows Firewall is blocking incoming network connections except for the programs and services selected below Adding exceptions allows some programs to work better but might increase your security risk Programs and Services Name File and Printer Sharing MSN Mess
11. cpp 35 Conversion may lose significant digits in function AskReplace Error search cpp 35 Conversion may lose significant digits in function AskReplace blabla bla bla bla blabla bla bla bla blabla bla bla bla blabla bla bla bla blabla bla bla bla blabla bla bla bla blabla bla bla bla blabla aaaaaaaaaaaaaaaaa Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 41 of 52 12 Syslog Message Fields The important parts of a Syslog message are e The address of the device that sent it e The facility that originated the message i e the subsystem on the device e The severity of the message How important the message is e When it was sent e The text of the message itself LogLady can filter and sort messages based on the contents of these fields There follows a more technical description of the format of a Syslog message It is an extract from the full text found in RFC 3164 4 1 syslog Message Parts The full format of a syslog message seen on the wire has three discernable parts The first part is called the PRI the second part is the HEADER and the third part is the MSG The total length of the packet MUST be 1024 bytes or less There is no minimum length of the syslog message although sending a syslog packet with no contents is worthless and SHOULD NOT be transmitted 4 1 1 PRI Part The PRI part MUST have three four or
12. denied as the string that the message must contain Set the action to message box and enter msg as the message Press Add Modify Rule Press OK to save the change Now whenever a message that contains access denied arrives the contents of the message is shown on in a message box Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 36 of 52 10 6 Save a restricted set of messages in their own log file Create a rule called only warning enter the restrictions on the messages we want to save to their own file E g they must come from 123 123 123 123 AND be a warning AND contain the word ftp Select the action write to file and enter the name warn txt All messages that match will be written to the file in addition to the default log The new file warn txt can be loaded into LogLady at any time for analysis Edit Rules forward windows sal Ping only warnings dump wince ok download Match sea 123 123 123 123 IP Address Facilty Warning v Severity ftp Message Contains C Match contents using Regexp Hostname Action l Save to file iv Filename warn txl Enabled Add Modify Rule Clear All Delete Rule 10 7 Include the Windows firewall logging in LogLady This demonstrates how to monitor a file for changes and incorporate the lines added into the logging First switch on the firewall a
13. eu Pu a i Deed ea eiTe Pene aei 39 LEIL D stripton oe 39 IAE D cundcm 40 12 Syslog Message Fields icio hoe e a a e ee EO e EU e PR ORE TR 41 T3 Troublesho0llP sS a A UM eU Sm MM LEE LIE 46 13 1 Frequently asked questions ennemi innen ener 46 13 2 LogLady and Windows XP SP2 firewall sse rennen enne nennen nene 46 14 Registering and Paying for LogLady eese nennen nne enne enne nne nnne 49 Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 3 of 52 2 Shareware Copyright Notice 2004 2015 HC Mingham Smith Ltd The author THE SOFTWARE IS PROVIDED AS IS AND WITHOUT WARRANTY OF ANY KIND EXPRESS IMPLIED OR OTHERWISE INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE AND ON ANY THEORY OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE LogLady is Shareware This is a complete working version There are no annoying reminder screens about what it costs and there are no disabled features If you continue to use it after evaluating it please send the appropriate amount by post to HC Mingham Smith Ltd 33 Arthu
14. five characters and will be bound with angle brackets as the first and last characters The PRI part starts with a leading lt less than character followed by a number which is followed by a gt greater than character The code set used in this part MUST be seven bit ASCII in an eight bit field as described in RFC 2234 2 These are the ASCII codes as defined in USA Standard Code for Information Interchange 3 In this the lt character is defined as the Augmented Backus Naur Form ABNF d60 and the gt character has ABNF value d62 The number contained within these angle brackets is known as the Priority value and represents both the Facility and Severity as described below The Priority value consists of one two or three decimal integers ABNF DIGITS using values of d48 for Q through d57 for 9 The Facilities and Severities of the messages are numerically coded with decimal values Some of the operating system daemons and processes have been assigned Facility values Processes and daemons that have not been explicitly assigned a Facility may use any of the local use facilities or they may use the user level Facility Those Facilities that have been designated are shown in the following table along with their numerical code values Numerical Facility Value Meaning 0 kernel messages 1 user level messages 2 mail system 3 system daemons Copyrigh
15. 2015 http www mingham smith com LogLady page 20 of 52 For example if the match string router is specified with red text on a yellow background all messages that contain the text router will be shown with those colors Note This type of highlighting is different from the Highlight action This type of highlighting may be configured differently for each PC using LogLady A logfile moved from one PC to another would not maintain the same colors Messages highlighted by the Highlight action do maintain their highlighted state if they are saved to a file and are loaded into another PC running LogLady 6 2 4 Rules Menu The Rules menu offers the following commands Rules Enabled Enable Disable Rule processing Edit rules Edit the list of Rules First rule only Only act on the first matching Rule All matching Rules Act on all matching Rules E mail settings Configure the E Mail connection Database settings Set the ODBC DSN to be used for the Write to Database action 6 2 4 1 Rules Enabled Rules menu Use this command to enable or disable all rule processing When rules are enabled this option is checked 6 2 4 2 Edit rules Rules menu Use this command to show the Edit Rules dialog 6 2 4 3 First Rule only Rules menu Use this command to tell LogLady that it should use only the first matching rule This option is checked when it is active 6 2 4 4 All matching rules Rules menu Use this command to tell LogLady
16. ACUN S aires etic SI uec MUI ED DUM MU I I nU Ced EE 28 9 1 IB qd 28 92 Advanced SettiBSc uscite eii get periti erepti tenues aee ds 29 92 1 SNMP Tp aneo 29 9 2 2 IS EU eeeiesaeess 29 9 3 Special string options erre DO n er RR HR DEG RI ORAE edo ds 30 9 3 1 Examples oes omnee x d CL eU uU Mer E 30 9 4 Special Filename Characters enit cte nda ua ite ests orte ERES E D n eura e 30 9 4 1 Examples inei RERO DG RE UR ER E Ue RO CR ERE 31 IO Wsmp LogLady Exatuples a 2er ect reet rae eee eaa I OPERE ERE ERE MEE aeo e Eaa NERES 32 10 1 Play a sound when a message of interest arrives eene 32 10 2 Forward All Windows Event Log Messages to a Linux Syslog Server sess 33 10 3 Put some Linux Syslog messages in the Windows Event Log seseeeem 34 10 4 Show me when my firewall traps access a banned website sse 35 10 5 Send me an e mail when a linux system is rebooted seen 35 10 6 Save a restricted set of messages in their own log file 36 10 7 Include the Windows XP SP2 firewall logging in LogLady eene 36 10 8 Discard MESSAGES ite nume e ten Sera ee bac EE EA EE IRE EE DE NE 37 10 9 Save all Warning or higher messages to a database seen 38 1 Reeular Expressions rs odo ete te qe ip tpe at cipe erui Eod
17. Edit Rules dialog Edit Rules IP Address Facility v v Severity Message Contains C Match contents using Regexp Hostname Threshold 0 Number of seconds before rule matches again Action Message Enabled Clear All The Edit Rules dialog allows you to add Rules that control Actions Actions provide a way to do something about the incoming messages by send E Mail messages playing a sound etc Each rule must be given a name The match section of the dialog provides a way of filtering the messages so that only certain messages cause actions For each field that is specified as opposed to being left blank the message must match before the action will happen For example if the IP address is specified a message must come from that IP address before the action is triggered If the Match contents using Regexp option is selected the string used to search the message contents is treated as a regular expression Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 27 of 52 If this is not set the string is used as a simple case insensitive string that matches if it is contained in the message If a rule is added that leaves ALL the match fields blank the rule will match ALL incoming messages This can be used to save all messages to a file Rules may have a threshold set to prevent a burst of messages that all match the same rule from generating the
18. Lady page 39 of 52 11 Regular Expressions 11 1 Description A regular expression is a formula for matching strings that follow some pattern Regular expressions are made up of normal characters and metacharacters Normal characters include upper and lower case letters and digits The metacharacters have special meanings and are described in detail below Metacharacter Sa P ES Win Gg 7 ACA eH e cat E V Fk N o a r b t f v n e s S w W d D U L C Wc Meaning Match the beginning of line Match the end of line Match any character Match characters in set Match characters not in set Match previous pattern 0 or 1 times greedy Match previous or next pattern Match previous pattern 0 or more times non greedy Match previous pattern 1 or more times non greedy Match previous pattern 0 or more times greedy Match previous pattern 1 or more times greedy Group characters to form one pattern Group and remember Quote next character only of not a z Match beginning of a word Match end of a word Match character with ASCII code hex Match ASCII code dec Match ASCII code Match a Match 0x13 cr Match b Match 0x09 tab Match f Match v Match 0x10 1f Match escape E Match whitespace cr If tab space Match nonwhitespace S Match word character Match non word character Match digit character Match non digit charact
19. LogLady page 1 of 52 LogLady v1 8 Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 2 of 52 1 Contents LG uiu P 2 2 JSbhateW resoi e DRE ERREUR RIETI GR ERE ORE ERIS 3 De IntroducebHOD x 565 seed Se tete ierat e ND MIS 4 3 1 Whatis Log Lady 4 3 2 Whatis syslog ME 4 A gt InStallati n z o ee REPRE ODER ess RUBIO et b e has dee ter i 5 4 1 D SCHD UOD oto deccm UIMU GN ERI dM ILI tuU seer rerrere 5 4 2 Install command line options eese nennen nennen tnetnetnenre teens 9 REED EpE M 11 67 USerantetiaces ache testi ene esM A M Lu has ates e I ELA 12 6 1 Main WTA Wy M EPUM 12 6 1 1 Filter Panettiere tonii eene ashes iere RE PGNENI sie 12 6 1 2 Message Pane Sete ie Re e eO Ve EXE Eo ERR TEES UR e eee EE Re eee iuge Sosa 12 6 1 3 Graph Pane c 13 6 1 4 Ny iruMbcylivu M 13 6 2 Menus eng peRHUSIDIARIRURUE BIER eB uS ERIM E 13 6 2 1 File Meus 5st tematica moenia eae cess 13 6 2 2 Edit Menu merce PP EUM eee pny Peeper ere MM LE peer ee oe 15 6 2 3 bu 17 6 2 4 Rules Menua e ae a Rc a tbe ae 20 6 2 5 uin n 21 6 2 6 Help Men pe M 22 7 iMODBItOIS ia IURE RUE Sees ec ee UH IR HARI RR LANES 23 ARs sahara ceases ec cee uuo e LL IDEEN LL NIE 26 9
20. NEERING TASK EXPRESS OR IMPLIED INCLUDING BUT NOT USE OF THE INFORMATION HEREIN WILL NOT ED WARRANTIES OF MERCHANTABILITY OR PURPOSE J THAT TH HE GI for the RFC Editor function is currently Society Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 46 of 52 13 Troubleshooting 13 1 Frequently asked questions Q Why is it called LogLady A LogLady is named after a character in the Twin Peaks TV series The name has log in it so it seemed to make sense at the time o The UNIX Linux syslogd isn t receiving the messages LogLady sends A The syslogd must be started with the r option to allow messages that originate from of machines to be logged By default this is usually not set Another possibility is that the Windows PC has a firewall configured that is blocking the messages Q When might LogLady be useful A Anytime a PC or network device does something interesting that you might want to record and or react to 13 2 LogLady and Windows firewall Windows contains a new firewall feature that may interfere with the normal operation of LogLady When LogLady runs you may get a message requesting whether LogLady should be Blocked or UnBlocked You should select unblock You may also choose to manually configure the firewall This describes how to configure the firewall to
21. Rule Press OK to save the change Now whenever a message that contains ok download arrives the selected sound is played Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 33 of 52 10 2 Forward All Windows Event Log Messages to a Linux Syslog Server In this example we assume that a Linux server is set up to be a syslog server Select Rules gt Edit Rules create a rule called forward all windows Edit Rules forward windows Ping dump wince ok download sea Name forward all windows Match Windows v sd C Match contents using Regexp Action IP Address Facility Severity Message Contains Hostname Send to another Syslog server Server 10 0 0 123 Enabled Add Modify Rule Clear All Delete Rule Make sure that the Event Log Monitor is enabled Monitors gt Event Log Windows Event Log messages are copied into LogLady with the special facility Windows Select Windows as the required facility that the message must contain Set the action to Send to another Syslog Server and select the address of the Linux syslog server Press Add Modify Rule Press OK to save the change Now whenever a message that had the Windows facility i e comes from the Windows Event Log arrives the message is forwarded Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com
22. SNMP Traps Any messages logged to the local Windows Event Log should be treated as though they were sent as syslog messages This allows Windows and syslog messages to be viewed at the same time LogLady can watch a list of files and or folders for changes This allows modifications to important files to be audited and actions taken The list of files can be changed using the Edit Files Folders List dialog Textual log files generated by other applications can be monitored New log file entries are merged in with other sys og messages LogLady can periodically ping a list of network addresses to determine if they respond This can be used to log devices connecting and disconnecting from the network The list of addresses to ping can be changed using the Edit Ping List dialog LogLady can watch any attached modems for phone calls If the modem is capable of reporting the phone number being used that is included too The modems must be connected using TAPI LogLady can watch for SNMP traps generated by other network based equipment Any data contained is shown in the log message The Edit Files Folders List dialog allows you to edit the list of files and or folders to be monitored Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 24 of 52 G Edit List of Files and Folders to Monitor x Filename Log C Documents and SettingsstardisND esktop pfirewall log Yes C Progr
23. US Non US customers are invited to convert the following prices to their local currency Quantity Please indicate the number of computers on which LogLady is installed and calculate the correct price Computer s at 75 each Corporate License Any number of copies for your whole company organisation 4000 Please provide the following information when registering Full Name Name of company Your Address E Mail Address Windows Version LogLady version Where did you hear about LogLady Please send e mail regarding LogLady to support mingham smith com Visit the LogLady Home Page http www mingham smith com Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 51 of 52 LogLady Registration Form For customers in the European Union but not in the UK Customers in the European Union who use the software for business purposes are responsible for paying VAT at the appropriate rate in their home country Customers registering their own personal use should pay VAT at the UK rate of 20 to HC Mingham Smith Limited The following prices are in Euros and are exclusive of VAT Prices may be converted to the customer s home currency if preferred Quantity Please indicate the number of computers on which LogLady is installed and calculate the correct price Computer s at 75 plus VAT each Corporate License Any number of copies for your whole company organisat
24. am Files Network Associates VirusScan SHLog txt Yes C This file is a Log that contains text entries Press the button to select files or just type the name and press Add Files can also be added by dragging files to the dialog To delete files from the list select them then press Delete Delete all by pressing Clear All If the This file is a Log that contains text entries option is set when adding a file the contents of the file are treated as a log file Log files are often generated by applications to record their ongoing operations For example the Windows firewall can be set to log messages to a file When LogLady knows the file is a log file it will do more than just report that the file has changed As new messages are added to the log file LogLady will copy them into the list of syslog messages This powerful feature means that many sources of log messages can be merged into a single list Syslog messages Windows Event Log messages and messages from textual log files can all be viewed in sequence using LogLady The Edit Ping List dialog allows you to edit the list of network addresses to be monitored Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 25 of 52 z Edit List of Network Devices To Ping Device List 10 0 0 103 10002 10 0 0 210 10 0 0 212 10 0 0 250 10 0 0 39 10 0 0 52 Timeout ms 10 0 0 89 10000 Poll Peri
25. breviation no characters if time zone is unknown A Percent sign 9 4 1 Examples B will be replaced by the full month name so the log file B txt will be called April txt in April and May txt in May The log file d m txt will be called 0101 txt on 1 jan and 0407 txt on July 4 Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 32 of 52 10 Using LogLady Examples These examples show how LogLady can do useful things when events occur 10 1 Play a sound when a message of interest arrives In this example we assume that a Linux server is set up to be an ftp server using vsftpd and that syslog messages are forwarded on to a PC running LogLady The message received will look something like this vsftpd Fri Sep 9 15 59 19 2005 pid 3789 ftp OK DOWNLOAD Client 123 123 123 123 Tardis2000 pdf 572883 bytes 22 30Kbyte sec Select Rules gt Edit Rules create a rule called ok download Edit Rules forward windows Name Ping ok download dump wince i Match IP Address v Facilty v Severity ok download Message Contains C Match contents using Regexp Hostname Action Play sound Sound file C WINDOWS Media tada way fa Enabled dd Modify Rule Clear All Delete Rule Enter ok download as the string that the message must contain Set the action to Play Sound and select a sound file Press Add Modify
26. dvanced logging In the firewall control panel select the advanced tab and press the security logging button Log Settings Logging Options Log dropped packets iog s Log File Options Name C Documents and Settings tardis Desktopy Size limit KB 100 te Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 37 of 52 Switch on one or both Logging options and select a location and size for the logfile Remember the location In LogLady Select Monitors gt Edit File Folder List Add the full name of the firewall logfile that you remembered and select the This file is a Log that contains text entries option Press Add then OK Edit List of Files and Folders to Monitor Filename Log C Documents and Settings tardis Desktop pfirewall log Yes C Documents and Settings tardis Desktop pfirewall log la This file is a Log that contains text entries a Make sure that Monitors gt Files Folders is selected to make LogLady watch the firewall log for changes When changes occur LogLady will determine which lines have been added and will include them as if it had been sent them using the sys og protocol 10 8 Discard messages Create a rule to discard messages that we aren t interested in Enter the string to match e g wince select the action discard message
27. ed message in the message pane If none is selected the entries are relative to now More complex filters can be created and saved for future use with the Edit Custom Filters dialog The status bar at the bottom of the window shows if a filter is active whether the display is locked and how many messages are shown 6 1 2 Message Pane On the right is the message pane This shows the messages received by LogLady If you right click on a message you can select whether to start a web browser or telnet session with the client that originated the message You can also toggle whether a message is highlighted or start the Find dialog Send to Rules sends the selected messages to the Rules this can be useful when developing new rules Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 13 of 52 Double clicking on an entry can start a browser telnet or the Find dialog This is configurable in the Preferences dialog Messages can be sorted by clicking on the column headers The display may be locked using the lock symbol on the Toolbar to prevent new messages being displayed Messages are still received and stored They are displayed when the display is unlocked The full text of the currently selected message is shown at the bottom of the Message Pane useful for long messages IP addresses can be expanded to names in the full text to aid analysis E g 207 46 198 30 would be replaced with www micr
28. enger 6 2 Remote Assistance CO Remote Desktop TARDIS 2000 Application UPnP Framework Cirrus ee Lie v Display a notification when Windows Firewall blocks a program What are the risks of allowing exceptions Then add a setting to allow syslog i Add a Port t3 Use these settings to open a port through Windows Firewall To find the port number and protocol consult the documentation for the program or service you warnt to use Port number 514 OTP UDP What are the risks of opening a pot Change scope Press OK and everything should work like it did before SP2 improved things Other firewalls may have similar issues Follow your firewall s recommended process to allow UDP port 514 to be used by LogLady If you are using SNMP traps follow the same procedure with the name SNMP Traps and udp port number 162 Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 49 of 52 14 Registering and Paying for LogLady The following pages details the volume based charges for LogLady and incorporates a registration form There are three ways to pay for registration 1 By cheque payable to HC Mingham Smith Ltd Please post to the following address HC Mingham Smith Ltd 33 Arthur Rd Wokingham Berkshire RG41 2SS England 2 By Bank Transfer If you would prefer to pay by this method please contact us on the following e mail
29. er Match uppercase Match lowercase Match case sensitively from here on Match case ignore from here on Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady 11 2 Examples Regular expression won a aaaa m a a b a b aa b aa b aa aa a b aa b b b b ajb ajb alb c dje alb c dje alb c dje azltbplte ltd tes azl bylte ltd tes azl bylte ltd tes Axx alpha beta xx Axx alpha beta xx a z fErrorj Warning fErrorj Warning fError Warning a z 0 9 2 fErrorj Warning 0 9 Error Warning 0 9 A a z Ta z Ns Ta z Ns A Ta z Ns A a z s H C A La z t AN A a z AT x20 KFF a a a ala ala a afala Regexp code by Marko Macek page 40 of 52 Matches a aaaa a axx ab xb aq xab aa aa aaab aaab bb b b gn b ud As e a c e xxalphaxx xxbetaxx aaa Warning search cpp 35 Conversion may lose significant digits in function AskReplace Warning search cpp 35 Conversion may lose significant digits in function AskReplace Warning search cpp 35 Conversion may lose significant digits in function AskReplace Warning search
30. es If the Action is Message Box the Message can be set to msg resulting in the text of the syslog message being placed in the message box An Action of Write to Database might have an associated SQL statement like INSERT INTO log VALUES Smsg 9 4 Special Filename Characters File names may contain strftime escape sequences to allow the logging file to be named appropriately This is the full list a Abbreviated weekday name A Full weekday name b Abbreviated month name B Full month name c Date and time representation appropriate for locale d Day of month as decimal number 01 31 H Hour in 24 hour format 00 23 l Hour in 12 hour format 01 12 j Day of year as decimal number 001 366 m Month as decimal number 01 12 M Minute as decimal number 00 59 p Current locale s A M P M indicator for 12 hour clock oS Second as decimal number 00 59 U Week of year as decimal number with Sunday as first day of week 00 53 w Weekday as decimal number 0 6 Sunday is 0 Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 31 of 52 AW Week of year as decimal number with Monday as first day of week 00 53 X Date representation for current locale X Time representation for current locale y Year without century as decimal number 00 99 Y Year with century as decimal number z Z Time zone name or ab
31. g replaced when you believe it should be or vice versa the log file will tell you if the file was really skipped and why The log file is created with a unique name based on the current date It will not overwrite or append to existing files Currently it is not possible to customize the filename The information contained in the log file is technical in nature and therefore not intended to be understandable by end users Nor is it designed to be machine parseable the format of the file is subject to change without notice Prevents the user from cancelling during the installation process by disabling the Cancel button and ignoring clicks on the close button Useful along with SILENT or VERYSILENT NORESTART RESTARTEXITCODE exit code Instructs Setup not to reboot even if it s necessary Specifies the custom exit code that Setup 1s to return when a restart is needed Useful along with NORESTART Also see Setup Exit Codes LOADINF filename SAVEINF filename Instructs Setup to load the settings from the specified file after having checked the command line This file can be prepared using the SAVEINF command as explained below Don t forget to use quotes if the filename contains spaces Instructs Setup to save installation settings to the specified file Don t forget to use quotes if the filename contains spaces DIR x Mirname Overrides the default directory name displayed on the Se
32. ion 4000 plus VAT Please provide the following information when registering Full Name Name of company Your Address E Mail Address Windows Version LogLady version Where did you hear about LogLady Please send e mail regarding LogLady to support mingham smith com Visit the LogLady Home Page http www mingham smith com Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 52 of 52 LogLady Registration Form For UK customers UK VAT Value Added Tax at 20 applies to sales to UK customers The following prices are exclusive of VAT please add 20 to the final total Quantity Please indicate the number of computers on which LogLady is installed and calculate the correct price Computer s at 45 plus VAT each Corporate License Any number of copies for your whole company organisation 2400 plus VAT Please provide the following information when registering Full Name Name of company Your Address E Mail Address Windows Version LogLady version Where did you hear about LogLady Please send e mail regarding LogLady to support mingham smith com Visit the LogLady Home Page http www mingham smith com Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com
33. isk space is required Either accept the default folder or choose a new folder press next Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 7 of 52 fe Setup LogLady V1 7 Select Components Which components should be installed Select the components you want to install clear the components you do not want to install Click Next when you are ready to continue Application and Service installation recommended v v Dalek syslog client zip file Curent selection requires at least 1 7 MB of disk space LogLady is supported on all versions of Windows from Windows 95 onwards On Windows 95 98 ME LogLady is a standalone application The application must be running to collect and process messages On versions of Windows based on Windows NT technology NT4 2000 XP 2003 etc LogLady is split into 2 parts the application User Interface UI and a background Service When the User Interface is not running the background service continues to collect and process messages You may still choose the standalone application version if you use a version of Windows based on Windows NT technology We recommend that you use the service version Older versions of Windows must use the standalone application The dalek syslog client is another of our products that allows syslog messages to be sent to LogLady Press Next when you have made your selections The defaults should match most
34. lained in more detail in Section 5 3 4 2 Original syslog Packets Generated by a Device There are no set requirements on the contents of the syslog packet as it is originally sent from a device It should be reiterated here that the payload of any IP packet destined to UDP port 514 MUST be considered to be a valid syslog message It is however RECOMMENDED that the syslog packet have all of the parts described in Section 4 1 PRI HEADER and MSG as this enhances readability by the recipient and eliminates the need for a relay to modify the message For implementers that do choose to construct syslog messages with the RECOMMENDED format the following guidance is offered If the originally formed message has a TIMESTAMP in the HEADER part then it SHOULD be the local time of the device within its timezone If the originally formed message has a HOSTNAME field then it will contain the hostname as it knows itself If it does not have a hostname then it will contain its own IP address If the originally formed message has a TAG value then that will be the name of the program or process that generated the messag Author s Address Chris Lonvick Cisco Systems 12515 Research Blvd Austin TX USA Phone 1 512 378 1182 EMail clonvick cisco com Full Copyright Statement Copyright C The Internet Society 2001 All Righ
35. lect Destination Location wizard page A fully qualified pathname must be specified Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady GROUP folder name NOICONS page 10 of 52 Overrides the default folder name displayed on the Select Start Menu Folder wizard page Instructs Setup to initially check the Don t create any icons check box on the Select Start Menu Folder wizard page COMPONENTS comma separated list of component names Overrides the default components settings Using this command line parameter causes Setup to automatically select a custom type Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 11 of 52 5 Overview LogLady provides many features to process and analyze log messages Monitors are provided to extract log information from non syslog based sources Rules can be used to detect messages of interest Actions allow LogLady to do useful things when interesting messages are detected History keeps a list of recently received messages Filters provide a way to selectively display only those messages that are of interest Background Service User Interface Actions Display Filters Syslog Message gt Loaded on Start History Monitors Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 12 of 52 6 User i
36. m smith com LogLady page 14 of 52 6 2 1 3 Save command File menu Use this command to save the active log to its current name and directory If you want to change the name and directory of an existing document before you save it choose the Save As command 6 2 1 4 Save As command File menu Use this command to save and rename the active log LogLady displays the Save As dialog box so you can name your log To save a document with its existing name and directory use the Save command 6 2 1 5 Import command File menu Use this command to import one or more logs in RFC3164 format LogLady displays a dialog box so you can select the files 6 2 1 6 Export command File menu Use this command to save the active log in RFC 3164 format LogLady displays a dialog box so you can name your log 6 2 1 7 Load History command File menu Use this command to load the history enabling LogLady to pick up where it left off This can be done automatically by setting the Load history when program starts in the Preferences dialog 6 2 1 8 Clear History command File menu Use this command to clear the history It has no effect on the messages currently displayed It clears the saved history that is loaded when the Load History command is used 6 2 1 9 Import Settings File menu Use this command to import saved settings these include the lists of rules custom filters and highlighting LogLady displays a dialog box so you ca
37. n select the files 6 2 1 10 Export Settings File menu Use this command to save settings these include the lists of rules custom filters and highlighting LogLady displays a dialog box so you can name your log 6 2 1 11 1 2 3 4 command File menu Use the numbers and filenames listed at the bottom of the File menu to open the last four logs you closed Choose the number that corresponds with the log you want to open 6 2 1 12 Exit command File menu Use this command to end your LogLady session You can also use the Close command on the application Control menu LogLady prompts you to save logs with unsaved changes Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 15 of 52 6 2 2 Edit Menu The Edit menu offers the following commands Copy Creates a new log Select All Opens an existing log Find Find log entries Preferences Saves an active log using the current file name 6 2 2 1 Copy command Edit menu Use this command to copy selected data onto the clipboard Copying data to the clipboard replaces the contents previously stored there 6 2 2 2 Select All command Edit menu Use this command to select all the log entries 6 2 2 3 Find Edit menu Use the find command to find log entries Find Match IP Address Facilty m Severity Message Contains C Match contents using Regexp Hostname C Highlighted Current Mes
38. n the list To save the modifications press Add Modify Filter To delete a filter double click it then press Delete Filter Delete all by pressing Clear All 6 2 3 5 Edit Highlighting View menu Use this command to show the Edit Highlighting dialog l Edit Highlighting Tardis 2000 i Match String Tardis 2000 Use Regexp Colors EN The Edit Highlighting dialog allows you to control how message text is displayed Each message is compared against the match strings If the message contains a match string the message is shown with the defined text and background colors Match Strings are compared in the order they appear in the list In the case where more than one match string matches the colors highest in the list are used Press the text and background buttons to set the colors The order of the match strings may be changed by clicking on the string and dragging it to the position required If the use Regexp option is selected the match string used to search the message contents is treated as a regular expression If this is not set the match string is used as a simple case insensitive string that matches if it is contained in the message To edit an entry double click on the name in the list To save the modifications press Add Modify Filter To delete match strings select them then press Delete Delete all by pressing Clear AII Copyright O HC Mingham Smith Ltd 2004
39. nd at no other time For example CPU XScale IXP425 IXC1100 revision 1 This message identifying the CPU is only sent when the system boots You should look for a similar message that matches your machine It is highly unlikely that the above message will work for you Create a rule containing the IP address of the Linix system and include the full text of the message in the message contains Set the action to Send E mail and set the To address to the recipient of the message Make sure you have previously set the E Mail settings in Rules gt E Mail settings Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 35 of 52 10 5 Show me when my firewall traps access a banned website In this example we assume that a firewall router is set to stop access to undesirable websites The firewall router is set to send the resulting syslog messages to the PC running LogLady The message received may contain a string that LogLady can match e g the words access denied Select Rules gt Edit Rules create a rule called banned Edit Rules forward windows dsl Ping banned dump wince ok download saa Match IP Address v Facility iv Severity access denied Message Contains C Match contents using Regexp Hostname Action Message Box x Message msg Enabled Add Modify Rule Clear All Delete Rule Enter access
40. ng the Rules This allows the colors used to highlight the message severity to be altered 6 2 3 View Menu The View menu offers the following commands Toolbar Status bar Options Edit custom filters Edit Highlighting Controls whether the Toolbar is shown Controls whether the Status bar is shown Set view options Edit the list of custom filters Edit the list of strings that are used to highlight messages 6 2 3 1 Toolbar command View menu Use this command to display and hide the Toolbar which includes buttons for some of the most common commands in LogLady such as New A check mark appears next to the menu item when the Toolbar is displayed Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 18 of 52 6 2 3 2 Status Bar command View menu Use this command to display and hide the Status Bar which describes the action to be executed by the selected menu item or depressed toolbar button status and keyboard latch state A check mark appears next to the menu item when the Status Bar is displayed 6 2 3 3 Options command View menu Use this to show an option dialog box that controls what information is shown View Options Show Columns Time received CIP Address Facility Severity Message Hostname C Time Sent 6 2 3 4 Edit custom filters View menu Use this command to show the Edit Custom Filters dialog Edit Cust
41. nt condition 6 Informational informational messages 7 Debug debug level messages syslog Messag Severities Each message Priority also has a decimal Severity level indicator described in the following table along with their numerical The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity For xampl a kernel messag Facility 0 with a Severity of Emergency Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 43 of 52 Severity 0 would have a Priority value of 0 Also a local use 4 message Facility 20 with a Severity of Notice Severity 5 would have a Priority value of 165 In the PRI part of a syslog message thes values would be placed between the angle brackets as 0 and lt 165 gt respectively The only time a value of 0 will follow the lt is for the Priority value of 0 Otherwise leading 0 s MUST NOT be used 4 1 2 HEADER Part of a syslog Packet The HEADER part contains a timestamp and an indication of the hostname or IP address of the device The HEADER part of the syslog packet MUST contain visible printing characters The code set used MUST also be seven bit ASCII in an eight bit field like that used in the PRI part In this code set the only allowable characters are the ABNF VCHAR values 6d33 126 and spaces SP value 3832
42. nterface 6 1 Main Window The main window is split into 3 panes T 2005_Sep_07_13 54 08 LogLady JJ File Edit View Rules Monitors Help Dc E d 8 Show All Messages H Hostname IP Address Facility Severity Time Received FA Message Contents Es Highlighted Messages E Multiple Fields E Custom filters x E Time Received Facility Severity Message Hostname Sep 07 14 55 19 NTP INFORMATIONAL Tardis 2000 Info SNTP Client connecting to 10 0 0 52 kaskaxp Sep 07 14 55 19 NTP INFORMATIONAL Tardis 2000 Info Correction of 0 326 seconds used to adjust dock frequency kaskaxp Sep 07 14 57 46 daemon NOTICE mt daapd 2124 Session 3 Streaming file 07 The Fall How I Wrote Elastic M NSLU2 Sep 07 14 57 51 syslog DEBUG localhost D For Help press F1 Service Listening on port 514 UI active 6 1 1 Filter Pane On the left is the filter pane This controls which messages are shown For example if the severity error is selected only messages with severity error are shown This affects current messages and any new messages that arrive IP addresses hostnames and facilities are added to the tree as they are received Double click on the message contents entry to search for matching text Double click on the multiple fields entry to search for messages based on several fields at once The time received entries are relative to the currently select
43. ocal time The hour hh is represented in a 24 hour format Valid entries are between 00 and 23 inclusive The minute mm and second ss entries are between 00 and 59 inclusive A single space character MUST follow the TIMESTAMP field The HOSTNAME field will contain only the hostname the IPv4 address or the IPv6 address of the originator of the message The preferred value is the hostname If the hostname is used the HOSTNAME field MUST contain the hostname of the device as specified in STD 13 4 It should be noted that this MUST NOT contain any embedded spaces The Domain Name MUST NOT be included in the HOSTNAME field If the IPv4 address is used it MUST be shown as the dotted decimal notation as used in STD 13 5 If an IPv6 address is used any valid representation used in RFC 2373 6 MAY be used A single space character MUST also follow the HOSTNAME field 4 1 3 MSG Part of a syslog Packet The MSG part will fill the remainder of the syslog packet This will usually contain some additional information of the process that Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 44 of 52 generated the message and then the text of the message There is no ending delimiter to this part The MSG part of the syslog packet MUST contain visible printing characters The code set traditionally and most often used has also been seven bit ASCII in an eight bit field like
44. od Secs 5 Name Address Add Clear All Type the name or address and press Add To delete from the list select them then press Delete Delete all by pressing Clear All Poll Period determines how many seconds elapse between attempts to ping the list Timeout controls how many milliseconds to wait for a response Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 26 of 52 8 Rules Rules enable LogLady to recognize and act on messages of interest Each message is compared against each active rule and if it matches the fields specified the relevant action is executed For example if a rule is defined to match messages with severity Error from IP address 10 0 0 20 the action might be to place a dialog box on screen If the IP address is not specified all messages with severity Error will result in a dialog box If no severity or any other field is specified ALL messages will result in a dialog box If the Match contents using Regexp option is selected the string used to search the message contents is treated as a regular expression If this is not set the string is used as a simple case insensitive string that matches if it is contained in the message A single message may result in many actions if many rules match However if the first rule only option is set in the Rules Menu only the first matching rule is used Rules are searched in the order shown in the list in the
45. om filters Name Match IP Address v Facility Severity Message Contains C Match contents using Regexp Hostname C Highlighted 0 Time received within secs Clear All The Edit Custom Filter dialog allows you to add filters that control what is displayed Each custom filter must be given a name For each field that is specified as opposed to being left blank the message must match before the message is shown For example if the IP address is specified a message must come from that IP address if it is to be shown If the Match contents using Regexp option is selected the string used to search the message contents is treated as a regular expression If this is not set the string is used as a simple case insensitive string that matches if it is contained in the message Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 19 of 52 If a filter is added that leaves ALL the match fields blank the rule will match ALL incoming messages Filters are shown in the order they appear in the list The order can be changed by clicking on the name and dragging it to the position required The time received within entry is relative to the currently selected message in the message pane If none is selected the entries are relative to now A value of 0 means don t look at the received time To edit a filter double click on the name i
46. or Syslog messages The default button sets this to the usual value of 514 Time Mark Minutes History size Load History when program starts Make LogLady insert a Message every x minutes A value of 0 means no time marks are generated Inserting time marks are useful in log files to determine that LogLady was active during times when no other messages are received Any message that would normally be displayed in LogLady is saved in the history This sets the maximum size of the history in Kilobytes If this is set to 0 no history will be saved Loads messages saved in the LogLady history when the user interface starts Message Box Timeout Start Hidden When a message box is displayed it remains on the screen until the user acknowledges it or the timeout has elapsed LogLady should start on the system tray Click on the tray icon to see the Main Window Server runs when program starts Prompt to save modified log Sets whether the LogLady user interface UJ starts listening for messages when it starts If it is not set LogLady must be told to listen for messages manually by pressing the start button on the Toolbar This controls whether LogLady prompts the user to save a modified log file when it exits Log Mail Debug Set Reset colors When a rule is invoked to send an E Mail message it will log details of the E Mail session if this option is set The session is logged to the current log bypassi
47. osoft com This option is off by default but may be switched on in the preferences dialog 6 1 3 Graph Pane The graph pane shows a map of all the messages currently displayed and their relative time of arrival A large peak indicates that a lot of messages arrived within a short time A red line is shown to indicate the message currently selected in the message pane You can click on the graph to go directly to the messages for a given peak 6 1 4 System Tray Icon LogLady places an Icon on the system tray that allows the main window to be hidden shown Click on it to toggle between hidden shown 6 2 Menus 6 2 1 File Menu The File menu offers the following commands New Creates a new log Open Opens an existing log Save Saves an active log using the current file name Save As Saves an opened log to a specified file name Import Import records in raw RFC 3164 format Export Export records to raw RFC 3164 format Load History Load the saved history Clear History Clear the history Import Settings Load rules filters and highlighting Export Settings Exit Save rules filters and highlighting Exits LogLady 6 2 1 1 New command File menu Use this command to create a new log The active log may be saved if it has been changed 6 2 1 2 Open command File menu Use this command to open a saved log The active log may be saved if it has been changed Copyright O HC Mingham Smith Ltd 2004 2015 http www mingha
48. ource loglady Execute the associated SQL statement The database used is defined in the Database Settings option in the Rules menu This action is allowed to use special strings to customise the SQL statement Change the Facility field of the incoming message This can be useful when monitoring Windows Event Log messages For example a Windows message from the security log could be modified to have a security facility Note If you use this action it will not be possible to determine the original facility of the message which might affect the audit trail Change the Severity field of the incoming message This can be useful if a message very important to you is given a low severity or if an incoming message is marked as an emergency when it isn t really that bad Note If you use this action it will not be possible to determine the original facility of the message which might affect the audit trail Send an SNMP Trap to an SNMP server The text of the message is contained in the trap Traps sent are SNMP V1 Default settings for the trap may be changed for each rule by pressing the Advanced button Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 29 of 52 Remember a message may trigger one or more rules resulting in a number of actions for one message 9 2 Advanced settings 9 2 1 SNMP Trap The SNMP trap action has default parameters but you may want to change these on a per rule basis
49. ow start Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 9 of 52 4 2 Install command line options LogLady uses the wonderful Inno Setup http www jrsoftware org isinfo php As a result the setup program has the following install options provided by Inno setup The Setup program accepts optional command line parameters These can be useful to system administrators and to other programs calling the Setup program SP Disables the This will install Do you wish to continue prompt at the beginning of Setup SILENT VERYSILENT LOG NOCANCEL Instructs Setup to be silent or very silent When Setup is silent the wizard and the background window are not displayed but the installation progress window is When a setup is very silent this installation progress window is not displayed Everything else is normal so for example error messages during installation are displayed and the startup prompt is 1f you haven t disabled it the SP command line option explained above If a restart is necessary and the NORESTART command isn t used see below and Setup is silent it will display a Reboot now message box If it s very silent it will reboot without asking Causes Setup to create a log file in the user s TEMP directory detailing file installation actions taken during the installation process This can be a helpful debugging aid For example if you suspect a file isn t bein
50. r Rd Wokingham Berkshire RG41 2SS England A cheque made payable to HC Mingham Smith Ltd would be acceptable or see our website for credit card payments Pricing details are at the back of this manual Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 4 of 52 3 Introduction 3 1 What is LogLady As the number of networked devices increases monitoring them becomes a problem LogLady is designed to solve the problem of collecting and analysing log messages from many sources LogLady provides a way to filter analyze and act on log messages You may want to be e mailed when a router identifies an issue Some messages could trigger the execution of a program to deal with the situation LogLady can do all this and more using rules and actions Rules allow important messages to be recognised Actions provide a way to react to messages selected by the rules LogLady is a syslog server with extra features to integrate information from non syslog sources LogLady provides monitors to generate standard syslog log messages from system events where none are generated by default or they are generated in an inconvenient form In recent versions of Windows there is a Windows Event Log that can be used to collect Windows based messages LogLady provides a better way to view these messages than the default Event Log Viewer plus it supports logging from other non windows devices using the sys og p
51. rotocol LogLady allows you to collect all the sys og traffic on your network in a single place and merge them into the Windows Event Log 3 2 Whatis syslog The Syslog protocol has been used for many years to transmit logging messages across TCP IP networks It was originally part of the University of California Berkeley Software Distribution but now forms part of every distribution of UNIX and Linux It has proved its worth in operations and management of network based devices Typically there is a central Sys og server that receives the messages and many client devices that send them Many network based devices generate syslog output these include printers routers etc For more information on Syslog refer to RFC 3164 available on the internet or the selected extract on page 41 Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 5 of 52 4 Installation 4 1 Description Run the LogLadyVxx exe setup program 18 Setup LogLady V1 7 Welcome to the LogLady V1 7 Setup Wizard This will install LogLady V1 7 on your computer It is recommended that you close all other applications before Click Next to continue or Cancel to exit Setup Press Next is Setup LogLady V1 7 License Agreement Please read the following important information before continuing rwn ri dag o nh iur god You m accept VI of fis agreement before continuing with Copyright C Notice 1994 2005 H C
52. sage Received Sep 07 16 20 49 GMT Daylight Time IP ddress 10 0 0 250 Hostname NSLU2 Facility HIR Severity INFORMATIONAL The Find dialog allows you to search through the log entries The match section of the dialog provides a way of searching the messages For each field that is specified as opposed to being left blank the message must match For example if the IP address is specified a message must come from that IP address before it is matched Searching starts from the currently selected message Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 16 of 52 If the Match contents using Regexp option is selected the string used to search the message contents is treated as a regular expression If this is not set the string is used as a simple case insensitive string that matches if it is contained in the message 6 2 2 4 Preferences command Edit menu Use this command to edit LogLady s preferences Preferences Viewing Messages 100000 Maximum number of entries shown Find Double Click Action Determine hostname from IP Address when not supplied Replace IP Addresses with hostname in full text window C Show times as UTC Syslog Server 514 Syslog server port D Time Mark Minutes History 2048 History size KB Load history when program starts Miscellaneous 30 Time Message Box Timeout Seconds C Start Hidden Server runs when program star
53. same action multiple times This applies to each sending IP address separately The value is the number of seconds that must elapse since the last matching message before the rule will match again A value of 0 disables any threshold for the rule Rules are searched in the order they appear in the list The order may be changed by clicking on the name and dragging it to the position required The order is particularly important when the first rule only option is set in the Rules Menu Only the highest priority matching rule will be used in this case Each rule may be disabled individually or all rules may be disabled if the option is set in the Rules Menu To start a new rule press New Rule To edit a rule double click on the name in the list To save the modifications press Add Modify Rule To delete a rule double click it then press Delete Rule Delete all rules by pressing Clear All Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady 9 Actions 9 1 Decription page 28 of 52 When a rule matches a message an associated action is triggered The following Actions are available Message Box Run Program Save to file Send to another Syslog server Discard message Highlight message Play sound Send E Mail Copy to Windows Event Log Save to Database Modify Facility Modify Severity Send SNMP Trap Show a message box on the screen Only one is active at a time If a ne
54. t O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady Table 1 Note 1 4 10 Note 2 These ar Various 13 and 14 which seem to be Various Facilities 9 and O1 4 O CO SI OD Ce security authorization messages note 1 messages generated internally by syslogd line printer subsystem network news subsystem UUCP subsystem clock daemon note 2 security authorization messages note 1 FTP daemon NTP subsystem log audit note 1 page 42 of 52 log alert note 1 clock daemon note 2 local use 0 10cal0 local use locall ojl SI Oy o BS GO DO Fe local use local2 19 local use local3 20 local use local4 21 local use local5 22 local use local6 23 JIA ay BS GO DO Fe local use local syslog Message Facilities operating systems have been found to for security authorization audit and alert messages similar Operating systems have been found to 15 for clock cron at messages values Numerical Severity Table 2 utilize Facilities utilize both Value Meaning 0 Emergency system is unusable 1 Alert action must be taken immediately 2 Critical critical conditions 3 Error error conditions 4 larning warning conditions 5 Notice normal but significa
55. that it should use all the matching rules This option is checked when it is active Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 21 of 52 6 2 4 5 E mail settings Rules menu Use this command to show the E Mail Settings dialog Email Settings SMTP Server d From Address Cancel Mail Domain Subject Text Include Syslog Message The E Mail Settings dialog box allows you to set the server that LogLady will use to send E Mail SMTP Server From Address Mail Domain Subject Text Include Syslog Message This is the address of the E Mail server you want to use This is the E Mail address that LogLady messages will appear to come from This should be a valid user as many servers will reject messages that don t have a valid from address This is the part of the E Mail address after the that LogLady messages will appear to come from This should be a valid address as many servers will reject messages that don t have a valid from address The subject of the E Mail messages What the message says When this is checked the Syslog message that caused the E Mail to be sent will be included in the E Mail in human readable form 6 2 4 6 Database settings Rules menu Use this command to set the ODBC DSN to be used for the Write to Database action 6 2 5 Monitors Menu The Monitors menu offers the following commands Event Log Enable Disable
56. ts C Prompt to save modified log C Log Mail Debug Colors tres v NNNM The Preferences dialog allows you to change various settings that affect the way LogLady behaves Maximum number of entries This sets the maximum number of messages that LogLady will store before it starts discarding old messages If you want every message to be saved you can set a Rule to store all messages in a file Double click actions This controls what happens when a message is double clicked Either a browser or telnet session is started with the originating device or the find dialog is shown Determine hostname from IP If a Syslog message doesn t contain the hostname of the sending Address when not supplied device and most don t LogLady can look it up This may impact performance a little but LogLady does cache lookups to save time Replace IP Addresses with IP addresses can be expanded to names in the full text to aid analysis hostname in full text window E g 207 46 198 30 would be replaced with www microsoft com This option is off by default It may cause a delay before the message is displayed as the name is looked up Show times as UTC This controls how times are displayed The default is to show local Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady Syslog server port page 17 of 52 times Switch this option on to show as UTC This sets the udp port that LogLady uses to listen f
57. ts Reserved Copyright O HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 45 of 52 This document and translations of it may be copied and furnished to others and derivative works that comment on or othe assist in its implementation may be prepared in whole or in part provided that the above copyright notice and this pa on all such copies and derivative works may not be modified in any way or references to the Internet distributed except as which cas Standards languages rwise explain it or copied published and without restriction of any kind needed for ragraph are included However this document itself such as by removing the copyright notice Society or other Internet organizations the purpose of developing Internet standards in the proced process mus other than ures for copyrights defined in the Internet t be followed or as required to translate it into English The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns This IS basis FORCE INFRINGE Acknowledgement Funding provided by the In document and DISCLAIMS LIMITED TO ANY WARRANTY ANY RIG FITNESS FOR A PA the information contained herein is provided on an AS and THE INT ERNET SOCIETY AND THE I ALL WARRANTIES HTS OR ANY IMPL RTICULAR cerner INTERNET ENGI
58. users requirements 16 Setup LogLady V1 7 Select Start Menu Folder Where should Setup place the program s shortcuts Setup will create the program s shortcuts in the following Start Menu folder To continue click Next If you would like to select a different folder click Browse float acy Browse Select the name of the start menu folder press next Copyright HC Mingham Smith Ltd 2004 2015 http www mingham smith com LogLady page 8 of 52 1 amp Setup LogLady V1 7 Ready to Install Setup is now ready to begin installing LogLady V1 7 on your computer Click Install to continue with the installation or click Back if you want to review or change any settings D ti ti ti D Program Files LogLady Setup type Application and Service installation recommended Selected components Service Program Files Dalek syslog client zip file Start Menu folder LogLady Completing the LogLady V1 7 Setup Wizard Setup has finished installing LogLady V1 7 on your computer The application may be launched by selecting the installed icons Click Finish to exit Setup Press finish Inital Setup Would you like to set LogLady to run as a service so it is active whenever the PC is on The User Interface can be activated at any time for a real time view of messages This is shown the first time LogLady runs we recommend that you select yes LogLady should n
59. w message arrives and a message box is already being displayed it is replaced The message box is automatically removed after a number of seconds The length of time it is displayed is configured in the preferences This action is allowed to use special strings to customise the text of the message box Run a program The full path and any parameters may be specified This action is allowed to use special strings to customise the parameters passed to the program Save this message to a file The file can be loaded by LogLady later The name may contain special filename characters used to influence than name of the file Forward this message to another Syslog server LogLady can be used to select messages to forward to a main server Delete this message as if it had never been received Useful if a device generates a lot of uninteresting messages If a message is discarded no further rules are processed for it E g a message may match several rules If a matching rule is higher priority than the discard rule it will be processed It a rule is lower priority it will not be processed Mark this message to be displayed in reversed colors in the main window Play a WAV sound Send an E Mail message The details of the E Mail connection are configured in the E Mail Settings dialog The settings may be changed for each rule by pressing the Advanced button Syslog messages are copied into the Windows Event Log Application section with the event s
Download Pdf Manuals
Related Search