Centralizing your logs saves time and increases the reliability of your log data, especially for Windows machines. When Windows log files are stored locally on each server, you have to individually log into each one to go through them and look for any errors or warnings. It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network.There are many ways you can forward your windows event logs to a centralized log server. You can use event log forwarding feature which was introduced in Windows Server 2008. Event log forwarding brought forth a native and automatic way to get events from multiple computers (event sources) into one or more machines called collectors. Another option is to use third party software, such Solarwinds Free Event Log Forwarder for Windows.
In this post, I am going to introduce another free software , Eventlog to Syslog. The Eventlog to Syslog utility is a program that runs on Microsoft Windows NT class operating systems monitoring the eventlog for new messages. When a new message appears in the eventlog, it is read, formatted, and forwarded to a UNIX syslog server.
1. Install Syslog Server - Kiwi Syslog Free Version
1.1 Download the Kiwi Syslog Daemon from the Kiwi from Download address: https://thwack.solarwinds.com/community/free-tools-and-trials
1.2 Run the Kiwi Syslog Daemon executable file to launch the installation program. Follow the instructions in the installation wizard to install the Kiwi Syslog Daemon as a service.
1.3 Once the Kiwi Syslog Daemon is installed, start the program to start the Syslog Daemon.
1.4 Choose File > Setup,In the left pane, click Rules > Default > Actions > Log to File.
2. Download Eventlog-to-syslog software
https://code.google.com/archive/p/eventlog-to-syslog/downloads
根据系统的版本下载32位和64位的程序。
3. Install evtsys.exe as a service
3.1 Install
unzip the downloaded file, you will get one file - evtsys.exe
copy this file to the folder c:\windows\system32。
3.2 evtsys Usage:
evtsys.exe -i|-u|-d [-h host] [-p port] [-q char]
-i Install service
-u Uninstall service
-d Debug: run as console program
-h host Name of log host (日志服务器IP地址)
-p port Port number of syslogd (日志服务器端口,默认是514)
-q char Quote messages with character
打开Windows命令提示符(开始->运行 输入CMD)
C:\>evtsys –i –h 192.168.74.125 #(日志服务器的IP地址)
-i 表示安装成系统服务
-h 指定log服务器的IP地址
3.3 启动该服务:
C:\>net start evtsys
打开windows组策略编辑器 (开始->运行 输入 gpedit.msc)
在windows 设置-> 安全设置 -> 本地策略->审核策略中,打开你需要记录的windows日志。evtsys会实时的判断是否有新的windows日志产生,然后把新产生的日志转换成syslogd可识别的格式,通过UDP 3072端口发送给syslogd服务器。OK,所有的配置windows端配置完成.
3.4 卸载evtsys:
net stop evtsys
evtsys -u
References:
- YouTube Video: Forwarding Windows Event Logs to Kiwi Syslog Server
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t0Iid1z1B8V3biK1WFCWHDqi0qJqFUDiHoUNA_ypwcfg0qtFa00QpBNBRhCMN-_KfvtZbyjX1yd_p7vbWqn3zsXFPtkkA-kkrC79bVasxloA)
No comments:
Post a Comment