我想将各种机器(Windows 和 Linux)的日志收集到集中日志服务器。日志服务器已配置完毕,正在监听端口 514 tcp 和 udp 以进行 syslog 协议日志记录。
我有 Linux 机器,可以正常发送它们的日志到那里。
我还想将 Windows 事件日志转发到那里。为此,我在这里使用 SolarWinds 事件日志转发器:https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows
现在我也想记录打印事件,因此我按照此处的教程进行操作:https://www.howtogeek.com/445760/how-to-check-your-printed-document-history-in-windows-10/
基本上:
- 打开事件查看器,
- 打开应用程序和服务日志 > microsoft > windows > PrintService > 操作 > 属性 > 然后选中“启用日志记录”
但后来我检查了我的系统日志服务器,我找不到打印日志(尽管我有一些从 Windows 捕获的其他日志)
$ ls
local0.info.MSWinEventLog#0116#011Application#01110#011Wed.log local0.info.MSWinEventLog#0116#011Application#01113#011Wed.log local0.info.MSWinEventLog#0116#011Application#0115#011Wed.log local0.info.MSWinEventLog#0116#011Application#0119#011Wed.log
local0.info.MSWinEventLog#0116#011Application#0111#011Wed.log local0.info.MSWinEventLog#0116#011Application#0112#011Wed.log local0.info.MSWinEventLog#0116#011Application#0116#011Wed.log
local0.info.MSWinEventLog#0116#011Application#01111#011Wed.log local0.info.MSWinEventLog#0116#011Application#0113#011Wed.log local0.info.MSWinEventLog#0116#011Application#0117#011Wed.log
local0.info.MSWinEventLog#0116#011Application#01112#011Wed.log local0.info.MSWinEventLog#0116#011Application#0114#011Wed.log local0.info.MSWinEventLog#0116#011Application#0118#011Wed.log
我知道这不是打印日志,因为在我的配置中,local0 用于“应用程序”日志,local1 用于所有事件,然后 local2 用于打印日志
但是当我在事件查看器中查看时,我可以看到事件已被捕获:
我做错了什么?为什么根本没有捕获 PrintService 日志?
答案1
在研究了其他替代方案后,我设法找到了 nxlog.co(我与它没有关系)。以下是我设法转发打印事件的方法:
- 下载 Windows 安装程序 (msi)https://nxlog.co/products/nxlog-community-edition/download
- 我选择了开源社区版(他们似乎有付费的企业版)
- 将以下行添加/附加到 C:\Program Files\nxlog\conf\nxlog.conf
<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
Host 192.168.100.200
Port 514
Exec to_syslog_bsd();
</Output>
<Route 1>
Path eventlog => tcp
</Route>
- 通过在提升的命令提示符下运行此命令来验证配置
"C:\Program Files\nxlog\nxlog.exe" -v
- 打开
services.msc,选择nxlog服务,然后停止并重新启动
以下是一个捕获事件的示例:
$ cat user.info.User32.log
2022-05-18T15:00:10+07:00 MYPC User32[780]: The process Explorer.EXE has initiated the power off of computer MYPC on behalf of user MYPC\USER for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: power off Comment: #015
2022-05-18T15:00:12+07:00 MYPC User32[680]: The process C:\WINDOWS\system32\winlogon.exe (MYPC) has initiated the power off of computer MYPC on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: power off Comment: #015