- Azure AD without on-prem Windows Active Directory? - Mon, Oct 25 2021
- An overview of Azure security - Mon, Mar 29 2021
- An introduction to Azure AD administrative units - Wed, Jan 6 2021
Syslog is a centralized logging service that began with Unix servers in the early days of computing. It has become the preferred logging method for many networking, security, and Linux environments. If you have more than a handful of routers, switches, firewalls, or Linux servers, there is likely a Syslog server somewhere in the environment.
A Syslog server acts as a central repository for logging messages. While a service like an SNMP server polls a client for information, a Syslog server is a listener. Clients send data to the server over UDP on port 514, with TCP options also available.
Installation
The environment I tested in consisted of Windows 2016 and 2019 servers. SolarWinds Kiwi Syslog Server was used to collect Syslog data. Installing SolarWinds Event Log Forwarder for Windows was as easy as it gets. The download contains both an executable and MSI installer. It was nice to see options to fit most automatic deployment scenarios. The installation was straightforward and only required input for installation location and icon placement.
Configuration
The Event Log Forwarder Dashboard has three tabs for simple configuration: Subscriptions, Syslog Servers, and Test.
Subscriptions – The subscriptions tab gives the user granular control over the data sent to the Syslog server. Each subscription specifies which logs and event details to forward, including keyword filters and exclusion criteria. This level of control limits unnecessary noise from entering the logging server.
Syslog Servers – This is the Syslog server that receives the forwarded events. Multiple servers can be configured, defined by hostname or IP and port number. The protocol can be changed if the Syslog server supports TCP.
Test – This tab writes sample events to the event log to test functionality. This is beneficial for verifying the configuration.
Below are examples of setting up the SolarWinds Event Log Forwarder for system errors and stopped service events.
System Errors
In this example, let’s configure SolarWinds Event Log Forwarder for Windows to send all error events from the system event log to the Syslog server. Start by opening Event Log Forwarder and clicking Add under Subscriptions.
Add Subscription
Select System in the Select Event Logs pane. Uncheck the event types Warning and Information. This filters out warning and informational messages. Notice the other filtering options available for fine-tuning the events forwarded to the Syslog server. There is also an option to show events matching the filter at the bottom of the screen. Click Next to configure the Syslog facility.
Forward system log errors
The Syslog facility is configured under Define Priority. Syslog facilities define which system created the message and are used to filter messages on the Syslog server. Syslog has its origins in Unix systems, and the list of facilities map to names of Unix processes. In this example, the Syslog facility is left as Kernel (messages). Click Finish to return to the dashboard.
Security log subscription priority
Give the subscription a new name by selecting it from the list of subscriptions and clicking Rename.
System log errors
Once the subscription is named, move to the Syslog Servers tab. Add one or more Syslog servers from this location. Syslog servers can be edited, disabled, or removed from this tab. The Syslog Server IP or hostname is required in this section, along with the port and protocol if the Syslog server is not using the default UDP port 514. Click Add to add the Syslog server.
Add Syslog Server
Enter the name of the server and modify the IP address, port, and protocol if needed. Notice that there are multiple options under Server Address. After the information is entered, click Create to finish setting up the server.
Server address options
SolarWinds Event Log Forwarder for Windows includes a test feature that generates a test event in the Event Log. In the Test tab, select System for the event log and Error for the type.
Configure test
Click Create a test event to finish. If configured correctly, the Event Log Forwarder will send the event to the Syslog Server. Below is the message logged to SolarWinds Kiwi Syslog Server for this example.
Event message test
Service Stop
The next example configures a subscription to forward Security Event 4689 to the Syslog server. This is the process termination event created when a service stops.
Service starts and stops are not logged to the event log by default and need to be enabled in the Local Security policy. Start by enabling success and failure of Audit Process Termination. This is configured in the Local Security Policy under Advanced Audit Policy Configuration, System Audit Policies, Detailed Tracking. Alternatively, use Group Policies to enforce the setting on multiple servers in Active Directory environments.
Local Security Policy
Create a new subscription for Security Event 4689 once auditing is enabled. Go to Subscriptions and click Add.
Add Subscription
Select Security under Event Viewer (Local). In the Include or Exclude Event field, enter 4689. Notice the granular filtering options available. If multiple Event IDs are needed, add them in this field, separated by commas, as well as ranges of Event IDs. Exclude Event IDs by specifying the minus sign before the ID. Once finished, the Add Event Log Subscription will look like the screen shown below. Click Next to continue.
Security Log Subscription
Leave the Syslog facility as Kernel and click Finish. Give the subscription a descriptive name.
Test the subscription by restarting a service. Go to Computer Management and to Services and Applications, Services. In this example, the Printer Spooler will be restarted to demonstrate the Syslog subscription. Restart the service.
The message sent by the Event Log Forwarder to the SolarWinds Kiwi Syslog Server shows details from the event log, shown below.
Syslog Spool Message
Summary
SolarWinds Event Log Forwarder is a useful free tool for sending Event Log data to a Syslog server. Environments that use Syslog servers as the primary monitoring and log collection tools will appreciate the ability to send Windows event log data to the Syslog server. The tool can be used for one-off alerts or as part of large-scale logging and alerting solution.
As with any monitoring system, tuning is required. Event Log Forwarder makes tuning easy with several filtering configuration options. Filtering at the client level prevents unnecessary noise from reaching the server.
Subscribe to 4sysops newsletter!
For more advanced log collection with built-in analytics, check out SolarWinds Log Analyzer. Log Analyzer collects a variety of logs, including Syslog, SNMP traps, VMware and Windows Events, and streams them for real-time visualization. Download a free 30-day trial of Log Analyzer here.
SolarWinds Event Log Forwarder seems only to support English (US) as system locale. The software seems OK, but is more or less useless outside US.