Despite Syslog’s popularity, Windows OS does not natively support sending event log data to a Syslog server. This is what SolarWinds Event Log Forwarder for Windows does.This free tool provides users the ability to collect Windows events on a syslog server for storage and analysis with other log sources.. It uses subscription-based filters that forward Windows events as a syslog to one or more Syslog servers.

Travis Roberts

Travis Roberts is the Manager of Data Center Services at a Minnesota based Credit Union. Travis has 20 years of IT experience in the legal, pharmaceutical and marketing industries, and has worked with IT hardware manufacturers and managed service providers. Travis has held numerous technical certifications over the span of his career from Microsoft, VMware, Citrix and Cisco.
Contents of this article

Syslog is a centralized logging service that began with Unix servers in the early days of computing. It has become the preferred logging method for many networking, security, and Linux environments. If you have more than a handful of routers, switches, firewalls, or Linux servers, there is likely a Syslog server somewhere in the environment.

A Syslog server acts as a central repository for logging messages. While a service like an SNMP server polls a client for information, a Syslog server is a listener. Clients send data to the server over UDP on port 514, with TCP options also available.

Installation ^

The environment I tested in consisted of Windows 2016 and 2019 servers. SolarWinds Kiwi Syslog Server was used to collect Syslog data. Installing SolarWinds Event Log Forwarder for Windows was as easy as it gets. The download contains both an executable and MSI installer. It was nice to see options to fit most automatic deployment scenarios. The installation was straightforward and only required input for installation location and icon placement.

Configuration ^

The Event Log Forwarder Dashboard has three tabs for simple configuration: Subscriptions, Syslog Servers, and Test.

Subscriptions – The subscriptions tab gives the user granular control over the data sent to the Syslog server. Each subscription specifies which logs and event details to forward, including keyword filters and exclusion criteria. This level of control limits unnecessary noise from entering the logging server.

Syslog Servers – This is the Syslog server that receives the forwarded events. Multiple servers can be configured, defined by hostname or IP and port number. The protocol can be changed if the Syslog server supports TCP.

Test – This tab writes sample events to the event log to test functionality. This is beneficial for verifying the configuration.

Below are examples of setting up the SolarWinds Event Log Forwarder for system errors and stopped service events.

System Errors

In this example, let’s configure SolarWinds Event Log Forwarder for Windows to send all error events from the system event log to the Syslog server. Start by opening Event Log Forwarder and clicking Add under Subscriptions.

Add Subscription

Add Subscription

Select System in the Select Event Logs pane. Uncheck the event types Warning and Information. This filters out warning and informational messages. Notice the other filtering options available for fine-tuning the events forwarded to the Syslog server. There is also an option to show events matching the filter at the bottom of the screen. Click Next to configure the Syslog facility.

Forward system log errors

Forward system log errors

The Syslog facility is configured under Define Priority. Syslog facilities define which system created the message and are used to filter messages on the Syslog server. Syslog has its origins in Unix systems, and the list of facilities map to names of Unix processes. In this example, the Syslog facility is left as Kernel (messages). Click Finish to return to the dashboard.

Security log subscription priority

Security log subscription priority

Give the subscription a new name by selecting it from the list of subscriptions and clicking Rename.

System log errors

System log errors

Once the subscription is named, move to the Syslog Servers tab. Add one or more Syslog servers from this location. Syslog servers can be edited, disabled, or removed from this tab. The Syslog Server IP or hostname is required in this section, along with the port and protocol if the Syslog server is not using the default UDP port 514. Click Add to add the Syslog server.

Add Syslog Server

Add Syslog Server

Enter the name of the server and modify the IP address, port, and protocol if needed. Notice that there are multiple options under Server Address. After the information is entered, click Create to finish setting up the server.

Server address options

Server address options

SolarWinds Event Log Forwarder for Windows includes a test feature that generates a test event in the Event Log. In the Test tab, select System for the event log and Error for the type.

Configure test

Configure test

Click Create a test event to finish. If configured correctly, the Event Log Forwarder will send the event to the Syslog Server. Below is the message logged to SolarWinds Kiwi Syslog Server for this example.

Event message test

Event message test

Service Stop

The next example configures a subscription to forward Security Event 4689 to the Syslog server. This is the process termination event created when a service stops.

Service starts and stops are not logged to the event log by default and need to be enabled in the Local Security policy. Start by enabling success and failure of Audit Process Termination. This is configured in the Local Security Policy under Advanced Audit Policy Configuration, System Audit Policies, Detailed Tracking. Alternatively, use Group Policies to enforce the setting on multiple servers in Active Directory environments.

Local Security Policy

Local Security Policy

Create a new subscription for Security Event 4689 once auditing is enabled. Go to Subscriptions and click  Add.

Add Subscription

Add Subscription

Select Security under Event Viewer (Local). In the Include or Exclude Event field, enter 4689. Notice the granular filtering options available. If multiple Event IDs are needed, add them in this field, separated by commas, as well as ranges of Event IDs. Exclude Event IDs by specifying the minus sign before the ID. Once finished, the Add Event Log Subscription will look like the screen shown below. Click Next to continue.

Security Log Subscription

Security Log Subscription

Leave the Syslog facility as Kernel and click Finish. Give the subscription a descriptive name.

Test the subscription by restarting a service. Go to Computer Management and to Services and Applications, Services. In this example, the Printer Spooler will be restarted to demonstrate the Syslog subscription. Restart the service.

The message sent by the Event Log Forwarder to the SolarWinds Kiwi Syslog Server shows details from the event log, shown below.

Syslog Spool Message

Summary ^

SolarWinds Event Log Forwarder is a useful free tool for sending Event Log data to a Syslog server. Environments that use Syslog servers as the primary monitoring and log collection tools will appreciate the ability to send Windows event log data to the Syslog server. The tool can be used for one-off alerts or as part of large-scale logging and alerting solution.

As with any monitoring system, tuning is required. Event Log Forwarder makes tuning easy with several filtering configuration options. Filtering at the client level prevents unnecessary noise from reaching the server.

For more advanced log collection with built-in analytics, check out SolarWinds Log Analyzer. Log Analyzer collects a variety of logs, including Syslog, SNMP traps, VMware and Windows Events, and streams them for real-time visualization. Download a free 30-day trial of Log Analyzer here.

Win the monthly 4sysops member prize for IT pros

3+

Users who have LIKED this post:

  • avatar
  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account