Tuesday, February 19, 2019

Forwarding Windows Event Logs to Syslog Server (Kiwi Syslog)

Centralizing your logs saves time and increases the reliability of your log data, especially for Windows machines. When Windows log files are stored locally on each server, you have to individually log into each one to go through them and look for any errors or warnings. It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network.There are many ways you can forward your windows event logs to a centralized log server. You can use event log forwarding feature which was introduced in Windows Server 2008. Event log forwarding brought forth a native and automatic way to get events from multiple computers (event sources) into one or more machines called collectors. Another option is to use third party software, such Solarwinds Free Event Log Forwarder for Windows

In this post, I am going to introduce another free software , Eventlog to Syslog. The Eventlog to Syslog utility is a program that runs on Microsoft Windows NT class operating systems monitoring the eventlog for new messages. When a new message appears in the eventlog, it is read, formatted, and forwarded to a UNIX syslog server.

1. Install Syslog Server - Kiwi Syslog Free Version
Download address: https://thwack.solarwinds.com/community/free-tools-and-trials

2. Download Eventlog-to-syslog software

3. Install evtsys.exe as a service
3.1 Install
unzip the downloaded file, you will get one file - evtsys.exe
copy this file to  the folder c:\windows\system32。

3.2 evtsys Usage: 
evtsys.exe -i|-u|-d [-h host] [-p port] [-q char]
-i      Install service
-u      Uninstall service
-d      Debug: run as console program
-h host   Name of log host (日志服务器IP地址)
-p port   Port number of syslogd (日志服务器端口,默认是514)
-q char   Quote messages with character

打开Windows命令提示符(开始->运行 输入CMD)
C:\>evtsys –i –h   #(日志服务器的IP地址)
-i   表示安装成系统服务
-h  指定log服务器的IP地址

3.3 启动该服务:
C:\>net start evtsys
打开windows组策略编辑器 (开始->运行 输入 gpedit.msc)
在windows 设置-> 安全设置 -> 本地策略->审核策略中,打开你需要记录的windows日志。evtsys会实时的判断是否有新的windows日志产生,然后把新产生的日志转换成syslogd可识别的格式,通过UDP 3072端口发送给syslogd服务器。OK,所有的配置windows端配置完成.

3.4 卸载evtsys:
net stop evtsys
evtsys -u

YouTube Video: Forwarding Windows Event Logs to Kiwi Syslog Server

No comments:

Post a Comment