The Wikipedia says that Syslog is the de facto standard for logging program messages. Well, let’s say, it is the most common logging protocol outside the Windows world. If you also administer Linux boxes, then you know that the Open Source OS still uses plain text files for logging OS and application messages. To keep track of all log files, Linux admins often use the Syslog protocol to collect all log data at a central location. Moreover, Syslog is also supported on Macs, other UNIX systems, and Syslog-capable network devices. Thus, if you want to manage all your logs with one system, it makes sense to introduce Syslog in your network.
Since Windows doesn’t support Syslog natively, you have to install third-party software. You need a Syslog agent (client) on every machine where you want to collect Windows event log messages and, at least, one Syslog server where all the data comes together. Jeff submitted a free Syslog client for Windows a few days ago. So, I thought, we should also have a free Syslog server in our collection of free log management tools. SolarWinds’ Kiwi Syslog Server is probably the most popular free Syslog “daemon” for Windows.
If you want to play a little with Syslog, you can install the Kiwi Syslog Server and the CorreLog Syslog Client on the same Windows machine. It doesn’t have to be a server. You must install the Kiwi Syslog Server first because the client can’t be installed without specifying the server.
Configuring the Syslog client ^
To get an idea of how Syslog works, launch the CorreLog Windows Syslog Agent Configuration with admin privileges and then open its config file from there. For testing purposes, you can change the DefaultSeverity parameter in the section for the Security Eventlog from “disabled” to “auto,” which means that all messages in the Windows security event log will be sent to the Syslog server. If you skim over the CorreLog Syslog configuration file, you will understand how you can send only those event log messages that are of interest to you. Most important is the MatchKeyword directive which allows you to restrict messages to certain keywords. The CorreLog Syslog Agent comes with documentation that explains all directives well.
If you now change the password of a Windows user on your test machine, you should receive a new message on the Kiwi Syslog Server. I think, you got the picture now of how Syslog works. On the client, you configure the type of messages you want to send to the server, and on the Syslog server collect all the data. In addition, you can specify rules on the Syslog server that will trigger actions when messages of a certain type arrive.
Configuring the Kiwi Syslog Server ^
To configure rules, open Setup on the Kiwi Syslog Server Console. In the Rules section, you can define filters and actions. Filters of the free edition are priority, time of the day, and input source (UDP, TCP, SNMP, keep alive). The actions are triggered when a message makes it through the filter. The full version of Kiwi Syslog Server supports 15 different actions, whereas the free version supports only 6: display (10 different displays), log to file, sound, forward to another host, send SNMP trap, and stop processing.
After you install Kiwi Syslog Server, you can test the licensed edition for 30 days. After 30 days, all features that are only available in the licensed version are disabled and you will see a red message at the bottom of the setup window if you try to access one of these features. A comparison of the free and the licensed full versions can be found here.
I didn’t cover all features of Kiwi Syslog Server 9. It is certainly a powerful free Syslog server for Windows. However, if your network is mostly a Windows shop, then tools such as GFI EventsManager or Netikus.net EventSentry are probably better choices because they allow you to leverage the full power of the Windows event log system. Both tools support the Syslog protocol. EventSentry is also available as a free version.