5

I am trying to setup a windows 2008 server so it's able to send the eventlog messages to an syslog-ng server running linux. I'd prefer something native but I guess it won't be possible.

UPDATE The first answer recommended to use snare, so far it's the best solution I found, totally painless to setup, and in less than five minutes I've logs to my syslog-ng server. The only drawaback (not snare fault) was that the logs are sent in windows-1252 charset encoding. So I was not able to tail -f them unless I change the charset somehow. If you are using syslog-ng this can be easily solved by creating a new source, in my case:

source src_win {
        udp(
                ip("192.168.1.200")
                port(514)
                encoding("WINDOWS-1252"));
};

After this (and assigning the new source to the right place) you will able to see your windows logs properly.

Old content

Looking around I've found a couple of solutions pointed by this page: http://www.itbuzzer.net/corner/2008/10/how-to-send-windows-events-to-syslog.asp

Does anyone have experience with any of those or something else?

aseques
  • 688
  • 4
  • 12
  • 26

3 Answers3

6

I use Snare.

Snare for Windows is a Windows NT, Windows 2000, Windows XP, and Windows 2003 compatible service that interacts with the underlying Windows Eventlog subsystem to facilitate remote, real-time transfer of event log information. Snare for Windows also support 64 bit versions of Windows (X64 and IA64).

Snare for Windows Vista is a Windows 2008, Vista and Windows 7 compatible service that interacts with the underlying "Crimson" Eventlog subsystem to facilitate remote, real-time transfer of event log information. Snare for Windows Vista also support 64 bit versions of Windows (X64).

Snare for Windows and Windows Vista are free software (freeware), released under the terms of the GNU Public Licence (GPL).

Community
  • 1
alvosu
  • 8,357
  • 24
  • 22
  • In scanning the snare docs it looks like all of the supported types are text files (eg IIs logs) can you get it to also send event logs to syslog? – Jim B Feb 07 '11 at 17:33
  • http://www.intersectalliance.com/projects/SnareWindows/audit_conf.png – alvosu Feb 07 '11 at 17:39
  • I just installed snare on the server I was interested and it's great. Easy to configure and it just works out of the box. One issue tough, the charset used for the logs is not utf, probably is widnows-1252. Haven't look at it yet, but is that configurable? – aseques Feb 09 '11 at 09:38
  • What problem?... #pragma code_page(65001) and recompile. It's open source) – alvosu Feb 09 '11 at 09:51
  • Well, part of an easy installation is not having to recompile everytime you want to modify a setting. Currenty I am trying to find a method in syslog-ng to convert on the fly the charset from windows-1252 to utf8 (not much luck yet ...) – aseques Feb 09 '11 at 10:21
  • Updated the main post with a proper solution to fix the encoding in syslog-ng – aseques Feb 09 '11 at 11:30
1

nxlog is an open-source solution which can do what you need using the im_mseventlog or im_msvistalog modules. There is charset conversion support so you can forward in utf-8 or another codepage.

b0ti
  • 986
  • 1
  • 6
  • 13
  • It seems a nice solution, I've my setup working nicely at the moment, but I'll have an eye on this tool for the next time I need an alternative. – aseques Jan 16 '12 at 08:15
0

You might also consider looking at the most current incarnation of the eventlog-to-syslog project out there.

I'm looking at building a log server to centralize and process all the windows and linux logs in my environment and am looking at both that and snare. I'm leaning towards eventlog-to-syslog as it's supposedly a little bit lighter than snare and I'm hampered as my environment is already a somewhat overloaded vmware environment.

Not that I don't think snare is an excellent solution, I just like people to have multiple options.

mgorven
  • 30,036
  • 7
  • 76
  • 121
TDarwin
  • 1
  • I did a quick test of eventlog-to-sysog, prior posting to serverfault. On my brief testing I wasn't able to properly configure the service. After that I just installed snare and I've seen that it's a great tool and so easy to setup (thanks to the web interface). – aseques Feb 11 '11 at 13:45