Incoming Syslog packets can be logged to event log to facilitate real-time alerts, e.g. via email. The feature is enabled on the «Syslog to Event Log» tab with the «Log to the APPLICATION event log» check box. Since the Syslog protocol supports 8 different severities (compared to just 3 for the Windows event log), a mapping of severities needs to be configured.
EventSentry will log all messages to the application event log with event ID 500 and event source EventSentry Network Services.
Severity Mapping
Configures the mapping between Syslog severities and Windows event log severities.
|
Unix Syslog defines eight severity levels: •EMERG Emergency •ALERT Alert •CRIT Critical •ERR Error •WARNING Warning •NOTICE Notice •INFO Info •DEBUG Debug The Windows event log defines only three severities (SUCCESS is not mentioned since it is basically equivalent to INFORMATION): •ERROR •WARNING •INFORMATION •Ignore (does not log message to the event log) |
|
|
|
To prevent a certain error level (e.g. debug) from being written to the Windows event log, specify Ignore in the corresponding Windows column. This will drop all packets from the specified error level without logging them to the event log. |
Settings
By default, no incoming Syslog messages will be logged to the event log. Clicking the + icon will add additional filters to the list (see below for filtering syntax and examples). Wildcards * and ? are supported.
Include: Log all messages to the event log, except for exclusions below
This setting will log all Syslog messages to the event log. Syslog messages containing strings that are listed below will be excluded.
Exclude: Only log messages to the database that are included below
This is the default setting, and only logs Syslog messages to the event log that match the listed filters.
Syntax
Syslog message filters are compared to the following Syslog format:
hostname[facility.severity]: content
ipaddress[facility.severity]: content
hostname: The host name of the remote host, if the remote IP address as was able to be resolved to a host name
ipaddress: The IP address of the remote host, if the host name could not be resolved with a reverse lookup
facility: The Syslog facility, e.g. auth, cron, kern, etc.
severity: The Syslog severity, e.g. emerg, alert, crit, etc.
content: The actual content of the Syslog message
Examples:
firewall01.prod.local[kern.crit]: Invalid login from 11.32.23.111
192.1.3.4[cron.notice]: /USR/SBIN/CRON[26051]: (root) CMD ( cd / && run-parts —report /etc/cron.hourly)
ubuntu-box[authpriv.notice]: sudo: root : TTY=unknown ; PWD=/ ; USER=administrator ; COMMAND=/usr/bin/gconftool —get /system/http_proxy/use_http_proxy
Example Filters
•Match all «info» severities from hosts that start with «firewall»: firewall*[*.info]*
•Match all messages that contain «com.apple.wikid»: *com.apple.wikid*
•Match all messages from facility «local7» with severity «notice»: *[local7.notice]*
•Match all messages from hosts from the 192.1.1.0/24 subnet: 192.1.1.*
Despite Syslog’s popularity, Windows OS does not natively support sending event log data to a Syslog server. This is what SolarWinds Event Log Forwarder for Windows does.This free tool provides users the ability to collect Windows events on a syslog server for storage and analysis with other log sources.. It uses subscription-based filters that forward Windows events as a syslog to one or more Syslog servers.
Contents
- Installation
- Configuration
- System Errors
- Service Stop
- Summary
- Author
- Recent Posts
Travis Roberts is a Cloud Infrastructure Architect at a Minnesota based consulting firm. Travis has 20 years of IT experience in the legal, pharmaceutical and marketing industries, and has worked with IT hardware manufacturers and managed service providers. Travis has held numerous technical certifications over the span of his career from Microsoft, VMware, Citrix and Cisco.
Syslog is a centralized logging service that began with Unix servers in the early days of computing. It has become the preferred logging method for many networking, security, and Linux environments. If you have more than a handful of routers, switches, firewalls, or Linux servers, there is likely a Syslog server somewhere in the environment.
A Syslog server acts as a central repository for logging messages. While a service like an SNMP server polls a client for information, a Syslog server is a listener. Clients send data to the server over UDP on port 514, with TCP options also available.
Installation
The environment I tested in consisted of Windows 2016 and 2019 servers. SolarWinds Kiwi Syslog Server was used to collect Syslog data. Installing SolarWinds Event Log Forwarder for Windows was as easy as it gets. The download contains both an executable and MSI installer. It was nice to see options to fit most automatic deployment scenarios. The installation was straightforward and only required input for installation location and icon placement.
Configuration
The Event Log Forwarder Dashboard has three tabs for simple configuration: Subscriptions, Syslog Servers, and Test.
Subscriptions – The subscriptions tab gives the user granular control over the data sent to the Syslog server. Each subscription specifies which logs and event details to forward, including keyword filters and exclusion criteria. This level of control limits unnecessary noise from entering the logging server.
Syslog Servers – This is the Syslog server that receives the forwarded events. Multiple servers can be configured, defined by hostname or IP and port number. The protocol can be changed if the Syslog server supports TCP.
Test – This tab writes sample events to the event log to test functionality. This is beneficial for verifying the configuration.
Below are examples of setting up the SolarWinds Event Log Forwarder for system errors and stopped service events.
System Errors
In this example, let’s configure SolarWinds Event Log Forwarder for Windows to send all error events from the system event log to the Syslog server. Start by opening Event Log Forwarder and clicking Add under Subscriptions.
Add Subscription
Select System in the Select Event Logs pane. Uncheck the event types Warning and Information. This filters out warning and informational messages. Notice the other filtering options available for fine-tuning the events forwarded to the Syslog server. There is also an option to show events matching the filter at the bottom of the screen. Click Next to configure the Syslog facility.
Forward system log errors
The Syslog facility is configured under Define Priority. Syslog facilities define which system created the message and are used to filter messages on the Syslog server. Syslog has its origins in Unix systems, and the list of facilities map to names of Unix processes. In this example, the Syslog facility is left as Kernel (messages). Click Finish to return to the dashboard.
Security log subscription priority
Give the subscription a new name by selecting it from the list of subscriptions and clicking Rename.
System log errors
Once the subscription is named, move to the Syslog Servers tab. Add one or more Syslog servers from this location. Syslog servers can be edited, disabled, or removed from this tab. The Syslog Server IP or hostname is required in this section, along with the port and protocol if the Syslog server is not using the default UDP port 514. Click Add to add the Syslog server.
Add Syslog Server
Enter the name of the server and modify the IP address, port, and protocol if needed. Notice that there are multiple options under Server Address. After the information is entered, click Create to finish setting up the server.
Server address options
SolarWinds Event Log Forwarder for Windows includes a test feature that generates a test event in the Event Log. In the Test tab, select System for the event log and Error for the type.
Configure test
Click Create a test event to finish. If configured correctly, the Event Log Forwarder will send the event to the Syslog Server. Below is the message logged to SolarWinds Kiwi Syslog Server for this example.
Event message test
Service Stop
The next example configures a subscription to forward Security Event 4689 to the Syslog server. This is the process termination event created when a service stops.
Service starts and stops are not logged to the event log by default and need to be enabled in the Local Security policy. Start by enabling success and failure of Audit Process Termination. This is configured in the Local Security Policy under Advanced Audit Policy Configuration, System Audit Policies, Detailed Tracking. Alternatively, use Group Policies to enforce the setting on multiple servers in Active Directory environments.
Local Security Policy
Create a new subscription for Security Event 4689 once auditing is enabled. Go to Subscriptions and click Add.
Add Subscription
Select Security under Event Viewer (Local). In the Include or Exclude Event field, enter 4689. Notice the granular filtering options available. If multiple Event IDs are needed, add them in this field, separated by commas, as well as ranges of Event IDs. Exclude Event IDs by specifying the minus sign before the ID. Once finished, the Add Event Log Subscription will look like the screen shown below. Click Next to continue.
Security Log Subscription
Leave the Syslog facility as Kernel and click Finish. Give the subscription a descriptive name.
Test the subscription by restarting a service. Go to Computer Management and to Services and Applications, Services. In this example, the Printer Spooler will be restarted to demonstrate the Syslog subscription. Restart the service.
The message sent by the Event Log Forwarder to the SolarWinds Kiwi Syslog Server shows details from the event log, shown below.
Syslog Spool Message
Summary
SolarWinds Event Log Forwarder is a useful free tool for sending Event Log data to a Syslog server. Environments that use Syslog servers as the primary monitoring and log collection tools will appreciate the ability to send Windows event log data to the Syslog server. The tool can be used for one-off alerts or as part of large-scale logging and alerting solution.
As with any monitoring system, tuning is required. Event Log Forwarder makes tuning easy with several filtering configuration options. Filtering at the client level prevents unnecessary noise from reaching the server.
Subscribe to 4sysops newsletter!
For more advanced log collection with built-in analytics, check out SolarWinds Log Analyzer. Log Analyzer collects a variety of logs, including Syslog, SNMP traps, VMware and Windows Events, and streams them for real-time visualization. Download a free 30-day trial of Log Analyzer here.
Understanding the event log is essential in every Windows system and plays a key role in the tasks of all Windows administrators. In addition to providing security, Windows event logs can serve as a valuable resource for troubleshooting purposes.
Log messages are incredibly helpful for troubleshooting and often are the first indication that something is wrong. Although system status signals are generated by every program and operating system, for decade’s administrators would struggle to sort through all of them for valuable insights.
Threat prevention has been transformed thanks to the introduction of Security Information and Event Management (SIEM). As a result, now everyone is eager to gather and store every log message that is generated by all systems.
Two important standards for log messages exist Windows Events and Syslog. Open standard Syslog is often seen on Linux systems. As with other Microsoft-developed standards, Windows Events adhere to a strict set of guidelines. The Windows Event log format is used by third-party programs operating on Windows. Similarly, some software developers choose to use the Syslog message standard.
Log collectors and receivers
Because Windows Events and Syslog log messages must be merged, a bridge between the two types of log messages is required. A log message manager on a Windows system will collect and store all Windows Events log messages but will disregard Syslog messages that could be created on other parts of the network. In the same way, a Linux log file manager would capture and store Syslog messages but not Windows Event log messages, for example.
To administer both Windows and Linux computers, a systems administrator must maintain at least two distinct log stores — one for Windows Events and one for Syslog messages. This is not an ideal situation for detecting intrusions. Either Windows Event messages must be changed to Syslog format, or Syslog messages must be converted to Windows Event message format, is the answer to this issue. Any of these approaches would allow a single analytical tool to sift through all system messages stored in common files.
Converting Windows Events and Syslog messages to a neutral format is a third way to consolidate them. Even if Windows Events are transmitted to a Syslog server or a third-party aggregation application known as Event log forwarding, the process of delivering such events is known as event log forwarding.
Event log forwarders and servers
On your computer, the event log forwarder will be running at all times. There’s no requirement for the log server and consolidator to be on your premises at all. You may use a log server that is installed on your premises, or you can use one that is hosted in a cloud-based service.
Some of the hosted systems include the log collector, which is the Event log forwarder. It is still necessary to deploy the log collector on a Windows server at your site in these circumstances. “Agent” is the word of choice.
One of your Linux computers must have a Syslog forwarder installed to consolidate data from Windows and Linux environments. A Linux-based agent is also included in SaaS log file management solutions. The log collector/forwarder and the log server will still be different packages if you operate the log file server on your site. As a central repository for all log messages, the server may handle both Windows Events and Syslog.
Free event log forwarders and log consolidator
Event log forwarders and log servers and consolidators may be found for free, so you don’t have to pay for them. When selecting two services, make sure that they are compatible with each other. The chance of mismatch between Windows Events and Syslog is low since both are well-known standards. Just in case, it’s always a good idea to verify compatibility.
Event log forwarders and logging file servers purchased from the same vendor eliminate any risk of incompatibility. As a result, this is the approach we’ll use throughout this manual. Free tools from SolarWinds are used in this example.
These are the ones I’d like to point out:
- SolarWinds Event Log Forwarder for Windows – FREE TOOL
- Kiwi Syslog Server Free Edition – FREE TOOL
- ManageEngine Log360 Cloud – FREE TRIAL
To cope with the mismatch between log file formats, we will transform Windows Event Log messages into a Syslog format and then transmit them to a Syslog server, as the titles of these two programs suggest. A Linux-based log message collector may also send Syslog messages to the server.
The following operating systems are compatible with both of these programs:
- Microsoft Windows Server 2016 / Windows 10
- XP, Vista, 7, 8, and 8.1
- Windows 10 is the latest version of the operating system
- Windows 8.1 is the most recent version of the operating system
- Microsoft Windows 8
These versions of Windows will also run the Event Log Forwarder:
- There are two versions of Windows 7 available: Windows 7 SP1 and Windows 7 SP1
- Service Pack 2, Service Pack 3 (SP3), and Service Pack 1 (SP1) are all versions of Windows Server 2008 that are supported
- Service Pack 2 (SP2) for Windows Server 2003 R2
Let’s get started with the installation of these two programs.
Install SolarWinds event log forwarder for Windows
SolarWinds offers a free download of the Event Log Forwarder. Event log messages may only be retrieved from computers that have the software installed. The page may be accessed by clicking the Download button.
SolarWinds Event Log Forwarder
FREE Tool
Enter your e-mail address and select the “Proceed to Free Download” button on the access page.
The SolarWinds Log Analyzer will be made available to you as a 30-day free trial. Following, you’ll see a button labeled “Download Now” on the next page, whether or not you accept this offer.
SolarWinds Log Analyzer
Start a 30-day FREE Trial
The zip file may be downloaded by clicking on the button. The folder may be opened after the download is complete. Zip the files up and then unzip them.
In the second folder, double-click on the installation. You’ll be prompted by Windows to provide access to launch the file. Click the “OK” button to confirm your action. This will open a wizard to guide you through the installation process. Click the Next button once you’ve agreed to the terms and conditions and have gone through the installation process. On the last page of the installation, click Finish to complete the process.
Set up the event log forwarder
The Event Log Forwarder may be opened by clicking on its Start menu or Desktop icon when the installation process has finished. Before the service starts, Windows will ask for your permission.
When you initially launch the system, you’ll see a giant blank panel on the Dashboard.
Specify even collection parameters
Adding a message type to the collector is required before it can begin collecting data.
The Add button is located at the top of the panel.
The events that are sent to the Syslog server may be narrowed down using the Event Type selection screen. Traffic will be reduced as a result. However, you may be compelled to submit all events if you are collecting log data for a SIEM system.
Filters for messages may be seen by hitting the Show preview of matching event records button, which can be found beneath the left panel on the screen.
Log records may be obtained in three ways. The first step is to specify the log message sources from which you want to gather data. The left panel of the screen shows a hierarchical structure that enables this. Select all events by checking the box at the top of the hierarchy. A drop-down list of event sources may be used to fine-tune this filtering approach. Here you’ll find a breakdown of the systems in the left-hand panel that you chose.
The Add screen’s main panel has a second filter at the very top. These incidents may be collected in a variety of ways, depending on how serious they are. Error, Warning, and Information-level messages may all be collected here.
Selecting certain task categories, user accounts, or machines for which log entries should be extracted is possible using a third filtering approach. To utilize the Task Category option, you must have a list of IDs. As a result, to take advantage of this functionality, you’ll need to know the unique IDs for all of the different types of log data you wish to gather. The task categories are selected from a drop-down menu, which by default all of the categories have ticked. After you pick event sources in the left-hand panel, this list will be updated with events.
If you want to exclude or include a certain work category, you may use the task category ID in the area above the drop-down list. All events, except for a specific list, may be logged by placing a negative sign in front of each event type’s ID.
After selecting an event source, click the Next button to go on to the next step. Define Priority is where you’ll find this option.
By default, all events are sent to a syslog server using this facility (s). Using this and the Event Type on each message, the Priority value will be applied to each record when it is translated to the Syslog standard.
To return to the main screen, click on the “Finish” button at the bottom.
The primary detail panel of the Dashboard’s Home screen has been updated to include a new entry.
Specify a Syslog Server
Afterward, you must tell the Event Log Forwarder where it should deliver the transformed event logs to. Click on “Syslog Servers” in the main panel at the top of the screen to open the window Activate the Add button by clicking it.
Enter the Syslog server’s IP address in the Add Syslog Server dialogue box. It is necessary to provide the IP address provided in the service’s setup instructions when using a SaaS system for log file consolidation. To use a Syslog server installed on a computer, you must provide the IP address of that machine. Port and Protocol are industry-standard values, so leave them alone.
If you have many Syslog servers, you may give each one its unique name in the Server Name column. For a single Syslog Server on your Dashboard, the name doesn’t matter much since you won’t need to differentiate between the entries that display on the Home page.
To return to the Dashboard’s main page, click the Create button.
The Event Log Forwarder’s settings should be checked
Click on the Test tab in the Event Log Forwarder’s main page to verify that the collector’s setup was successful. Using the drop-down menu under the Event logs section, choose a kind of event to which a test event should be added. Go for it and choose “All.” Select an event kind, such as a warning, in the second field.
To begin the test, click on the icon labeled “Create a test event.” You should be notified of either a success or a failure.
Use a Syslog Server
You’ve finished setting up your Event log forwarder now. This message forwarding mechanism requires the installation of a Syslog server, though. It is recommended that you use the SolarWinds Syslog Server Free Edition.
A form is required to get this server, which is the same form that you filled out to acquire the Event Log Forwarder.
Download and unzip the service, then execute the setup wizard to install the Syslog server on your computer or server.
Run a test in the Event Log Forwarder to see whether the Syslog Server is configured appropriately. This message should display in the dashboard after the Kiwi Syslog Server is up and running.
Cloud Log Forwarding Solutions
ManageEngine Log360 Cloud – FREE TRIAL
ManageEngine Log360 Cloud is a cloud-based SIEM solution that provides comprehensive visibility and security management across both on-premises and cloud environments in a single platform.
With ManageEngine Log360 Cloud, you can access and manage syslog data from anywhere, scale your network architecture without worrying about the log volume, and cut your overall log storage spending.
The platform also enables you to audit security events and meet IT compliance requirements with ease. It provides security analytics, rule-based threat detection, threat analytics, compliance management, and security auditing and reporting.
Log360 Cloud provides a comprehensive view of your network’s security in real-time with multiple auto-updated, graphical dashboards.
Overall, Log360 Cloud by ManageEngine is an excellent option for a newly set-up Syslog server as it offers a range of features and flexibility to meet various IT security and compliance objectives. You can get started with a free plan with 50GB storage and a 15-day storage retention period.
ManageEngine Log360 Cloud
Start on a FREE Plan
What is event log forwarding?
Event log forwarding is the process of forwarding event log data from one computer to another for analysis and monitoring purposes. This is commonly used in enterprise environments where a central monitoring system is used to monitor multiple computers.
Why is event log forwarding important?
Event log forwarding is important because it provides a centralized view of system events and activities across multiple computers, which can help identify issues and potential security threats more quickly and efficiently.
What types of events are typically forwarded in event log forwarding?
Events that are typically forwarded in event log forwarding include system and application events, security events, and performance metrics.
What tools can be used for event log forwarding?
There are many tools available for event log forwarding, including commercial solutions like SolarWinds Log & Event Manager, ManageEngine EventLog Analyzer, and Splunk Enterprise Security. Open-source tools include Graylog, Logstash, and Fluentd.
How does event log forwarding work?
Event log forwarding works by using Windows Event Forwarding or a third-party tool to collect and forward event log data from a source computer to a destination computer or monitoring system. The data is typically sent using a secure protocol such as HTTPS, and can be filtered or consolidated before being analyzed.
What are some best practices for event log forwarding?
Some best practices for event log forwarding include configuring log forwarding policies to collect and forward relevant events only, setting appropriate alert thresholds to minimize false positives, using encryption to protect data in transit, and regularly reviewing and updating log forwarding policies and procedures. It’s also important to have a clear plan in place for responding to any security incidents or events that may occur.
- Download demo project — 11.6 KB
- Download source files — 24.1 KB
Introduction
Syslog has become the standard logging solution on Unix and Linux systems. There are many applications which can send and receive syslog messages on windows computers. I have this wireless router (WRT type) and after a firmware upgrade, there was a syslog option. Working on a Windows XP machine, I wrote a Syslog daemon of my own entirely in C#.
Background
For logging on Windows we have Eventlog. To make use of Eventlog we have to make a service which translates syslog messages and sends them to Eventlog. Syslog messages are transported as UDP packets on port number 514, and have a very simple structure. For more on Syslog packets, please read http://www.ietf.org/rfc/rfc3164.txt
Using the demo project
The demo project contains the Syslogd.exe service. If you want to use it, you have to install the service by using the .NET tool installutil.exe which is located in the framework directory (watch version numbering).
In my src project I use two post-build steps, one for uninstall, and one for installing.
Note: If you build the project for the first time, the first step will break. So remove it, and add it later.
c:\windows\microsoft.net\framework\v2.0.50727\installutil.exe
/u "$(TargetPath)"
c:\windows\microsoft.net\framework\v2.0.50727\installutil.exe
"$(TargetPath)"
Note: The demo project contains a simple install.cmd that does install your service.
Because services are not nice to debug(!), the project contains a simple Form which can Start and Stop the Syslogd process. You can set breakpoints, and do single steps from here.
When using installutil.exe for registering .NET services, the tool looks for any [RunInstaller(true)] attribute on a class, and executes that piece of code.
[RunInstaller(true)] public class SyslogdInstaller : Installer { ....... }
SyslogdInstaller.cs
This installer code is located in SyslogdInstaller.cs which does two things. It installs the syslogd service and opens up the internal firewall of Windows XP, for more on this, see ‘Points of Interest’.
....... this.serviceProcessInstaller1.Account = ServiceAccount.LocalSystem; this.serviceProcessInstaller1.Password = null; this.serviceProcessInstaller1.Username = null; ....... this.serviceInstaller1.ServiceName = settings.ServiceName; this.serviceInstaller1.Description = settings.Description; this.serviceInstaller1.DisplayName = settings.DisplayName; this.serviceInstaller1.StartType = ServiceStartMode.Automatic;
Properties.Settings
Most of the properties in this project are configurable by its Properties.Settings class.
In Visual Studio you can use the nice properties editor:
When saving these settings, an XML file is saved (Syslogd.exe.config) which can be changed according to one’s own wishes afterwards.
="1.0"="utf-8" <configuration> ..... <userSettings> <Syslogd.Properties.Settings> <setting name="Address" serializeAs="String"> <value>*</value> </setting> <setting name="Port" serializeAs="String"> <value>514</value> </setting> <setting name="ServiceName" serializeAs="String"> <value>Syslogd</value> </setting> <setting name="Description" serializeAs="String"> <value>Syslogd service logs syslog messages to windows eventlog</value> </setting> <setting name="DisplayName" serializeAs="String"> <value>Syslogd service</value> </setting> <setting name="EventLog" serializeAs="String"> <value>Syslog</value> </setting> </Syslogd.Properties.Settings> </userSettings> </configuration>
SyslogdService.cs
The syslogd service code itself is located in SyslogdService.cs. This is more or less a standard service code and inherits from ServiceBase. There is only a Start and a Stop service method.
... private Syslogd syslogd; ... public SyslogdService() { ... syslogd = new Syslogd(); } protected override void OnStart(string[] args) { syslogd.Start(); } ... protected override void OnStop() { syslogd.Stop(); } ...
Syslogd.cs
When syslogd service is started, a new class syslogd is instantiated, and contains a worker thread for receiving syslog messages. This worker class is located in Syslogd.cs
private void Worker() { Properties.Settings settings = new Properties.Settings(); m_EventLog = settings.EventLog; IPAddress ipAddress = IPAddress.Any; if(settings.Address!="*") ipAddress = IPAddress.Parse(settings.Address); IPEndPoint ipEndPoint = new IPEndPoint(ipAddress, settings.Port); m_socket = new Socket( AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp); m_socket.Bind(ipEndPoint); EndPoint endPoint = ipEndPoint; byte[] buffer = new byte[1024]; while (m_running) { try { int intReceived = m_socket.ReceiveFrom(buffer, 0, buffer.Length, SocketFlags.None, ref endPoint); string strReceived = Encoding.ASCII.GetString(buffer, 0, intReceived); Log(endPoint, strReceived); } catch (Exception exception) { EventLog myLog = new EventLog(); myLog.Source = settings.ServiceName; if (!m_running) myLog.WriteEntry("Stopping...", EventLogEntryType.Information); else myLog.WriteEntry(exception.Message, EventLogEntryType.Error); myLog.Close(); myLog.Dispose(); } } }
Decoding Syslog PRI
Every syslog packet contains a PRI. This PRI is simply decoded and translated by making use of the appropriate regular expression.
... m_regex = new Regex("<([0-9]{1,3})>", RegexOptions.Compiled); ...
After decoding the decimal part of the PRI, I use a struct to translate it to Facility and Severity.
private enum FacilityEnum : int { kernel = 0, user = 1, mail = 2, system = 3, security = 4, internally = 5, printer = 6, news = 7, uucp = 8, cron = 9, security2 = 10, ftp = 11, ntp = 12, audit = 13, alert = 14, clock2 = 15, local0 = 16, local1 = 17, local2 = 18, local3 = 19, local4 = 20, local5 = 21, local6 = 22, local7 = 23, } private enum SeverityEnum : int { emergency = 0, alert = 1, critical = 2, error = 3, warning = 4, notice = 5, info = 6, debug = 7, } private struct Pri { public FacilityEnum Facility; public SeverityEnum Severity; public Pri(string strPri) { int intPri = Convert.ToInt32(strPri); int intFacility = intPri >> 3; int intSeverity = intPri & 0x7; this.Facility = (FacilityEnum)Enum.Parse(typeof(FacilityEnum), intFacility.ToString()); this.Severity = (SeverityEnum)Enum.Parse(typeof(SeverityEnum), intSeverity.ToString()); } public override string ToString() { return string.Format("{0}.{1}", this.Facility, this.Severity); } }
The first PRI match in the received message gets special attention.
See ‘The logging in Eventlog’ part for this.
...
Pri pri = new Pri(m_regex.Match(strReceived).Groups[1].Value);
...
Because syslog messages can be relayed, and a relay can add more PRI parts, every message can have more than one PRI. Every PRI is replaced by its human readable Facility.Severity pair.
private string evaluator(Match match) { Pri pri = new Pri(match.Groups[1].Value); return pri.ToString()+" "; } private void Log(EndPoint endPoint, string strReceived) { ... string strMessage = string.Format("{0} : {1}", endPoint, m_regex.Replace(strReceived, evaluator)); ... }
Translating Syslog Severity to EventLogEntryType
Windows Eventlog supports only a few useful EventLogEntryTypes: Error, Warning and Information. Every syslog Severity is mapped on one of these. This is only done to have a good discriminable part for any Sysadmin, or analyzer program which watches the Eventlog. Every syslog Severity is logged in full in the body of every Eventlog entry.
private EventLogEntryType Severity2EventLogEntryType(SeverityEnum Severity) { EventLogEntryType eventLogEntryType; switch (Severity) { case SeverityEnum.emergency: eventLogEntryType = EventLogEntryType.Error; break; case SeverityEnum.alert: eventLogEntryType = EventLogEntryType.Error; break; case SeverityEnum.critical: eventLogEntryType = EventLogEntryType.Error; break; case SeverityEnum.error: eventLogEntryType = EventLogEntryType.Error; break; case SeverityEnum.warning: eventLogEntryType = EventLogEntryType.Warning; break; case SeverityEnum.notice: eventLogEntryType = EventLogEntryType.Information; break; case SeverityEnum.info: eventLogEntryType = EventLogEntryType.Information; break; case SeverityEnum.debug: eventLogEntryType = EventLogEntryType.Information; break; default: eventLogEntryType = EventLogEntryType.Error; break; } return eventLogEntryType; }
The logging in Eventlog
Binding this all together, logging IP-address, Port-number, PRI translated message, logging in Windows Eventlog. Nice feature to use the first PRI as a eventlog Source, because new Eventlogs can (auto) register Source types, which you can filter etc.
private void Log(EndPoint endPoint, string strReceived) { Pri pri = new Pri(m_regex.Match(strReceived).Groups[1].Value); EventLogEntryType eventLogEntryType = Severity2EventLogEntryType(pri.Severity); string strMessage = string.Format("{0} : {1}", endPoint, m_regex.Replace(strReceived, evaluator)); EventLog myLog = new EventLog(m_EventLog); myLog.Source = pri.ToString(); myLog.WriteEntry(strMessage, eventLogEntryType); myLog.Close(); myLog.Dispose(); }
Points of Interest
When building services which use the network on a Windows XP machine, you have to deal with the built-in Firewall. For opening up the internal firewall for the service, this piece of code is needed:
private void FireWall() { ... Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType); Type NetFwAuthorizedApplicationType = Type.GetTypeFromProgID("HNetCfg.FwAuthorizedApplication", false); INetFwAuthorizedApplication app = (INetFwAuthorizedApplication) Activator.CreateInstance(NetFwAuthorizedApplicationType); app.Name = settings.ServiceName; app.Enabled = true; app.ProcessImageFileName = Assembly.GetExecutingAssembly().Location; app.Scope = NET_FW_SCOPE_.NET_FW_SCOPE_ALL; mgr.LocalPolicy.CurrentProfile.AuthorizedApplications.Add(app); ... }
Don’t forget that you have to make a reference to c:\windows\system32\hnetcfg.dll — it makes an Interop.NetFwTypeLib.dll
Syslogd In action
I’m running a Dutch version of Windows XP, nice for all other programmers to see Services and Eventlog in Dutch!!
A sample Syslog entry of my router:
History
- As of writing, it is Version 1.0
I’m Alphons van der Heijden, living in Lelystad, Netherlands, Europa, Earth. And currently I’m retiring from hard working ( ;- ), owning my own company. Because I’m full of energy, and a little to young to relax …., I don’t sit down, but create and recreate software solutions, that I like. Reinventing the wheel is my second nature. My interest is in the area of Internet technologies, .NET etc. I was there in 1992 when Mosaic came out, and from that point, my life changed dramatically, and so did the world, in fact. (Y)
Can you forward Windows Event logs to Syslog? Yes, you can. We will show you how.
@VPN_News
UPDATED: September 21, 2023
Log messages have recently become very important. While every application and operating system generates system status messages, for decades, systems administrators just ignored them. The advent of Security Information and Event Management (SIEM) as a threat protection strategy turned this situation around. Now everyone is eager to collect and store every log message that all systems emit.
There are two major standards in operation for log messages: Windows Events and Syslog. Syslog is an open standard that is prevalent on Linux systems. Windows Events follow a proprietary standard that was created by Microsoft for its own products. However, third-party products also adopt the Windows Event log format when running on Windows. Similarly, some software creators decide to follow the Syslog messaging standard.
Log collectors and receivers
The need to collect all log messages in one place means that there needs to be a bridge between the two tribes of log messaging: Windows Events and Syslog. A log message manager in a Windows system will collect and file all Windows Events log messages but ignore Syslog messages that might be generated on other parts of the network. Similarly, a log file manager written for Linux would collect and store Syslog messages but it wouldn’t handle Windows Event log messages.
So, a systems administrator with both Windows and Linux systems to manage is left with at least two separate stores of log messages – one for Windows Events and one for Syslog messages. This is not a good scenario for intrusion detection. The solution to this problem means that either the Windows Event messages need to be converted into the Syslog format or that the Syslog messages should be converted into the Windows Event message format. Either strategy would enable all system messages to be stored in common files and be searched through by one single analytical tool.
There is a third strategy for consolidating Windows Events and Syslog messages, which is to convert them into a neutral format. Whether Windows Events are sent to a Syslog server or to a third-party consolidating tool, the process of sending those messages is known as Event log forwarding.
Event log forwarders and log servers
The Event log forwarder will operate on your own system. The log server and consolidator do not need to be resident on your premises. There are log servers that you can install on-site and there are others that are hosted Software as a Service system.
Many hosted systems offer the log collector, which is the Event log forwarder as part of the package. In these cases, the log collector still has to be installed on a Windows host on your site. This is usually termed an “agent.”
If you are consolidating files from Windows and Linux environments, you will also need to install a Syslog forwarder on one of your Linux machines. SaaS log file management systems also provide a Linux-resident agent. If you run your log file server on your own site, the log collector/forwarder and the log server will still be separate packages. The server is intended as a manager for all log messages whether they be Windows Events or Syslog.
Free Event log forwarder and log consolidators
You don’t have to pay for an Event log forwarder or a log server and consolidator because there are some free packages available. One of the things that you need to consider is whether the two services that you choose are compatible. As both Windows Events and Syslog are universally-known standards, the likelihood of incompatibility is slim. However, it is still a good idea to check for compatibility, just in case.
You eradicate the possibility of incompatibility if you get both an Event log forwarder and a log file server from the same provider. This is the strategy that we will follow in this guide. Here we use two free utilities from SolarWinds. These are:
- SolarWinds Event Log Forwarder for Windows (FREE TOOL)
- Kiwi Syslog Server Free Edition (FREE TOOL)
As you have probably already guessed from the names of these two tools, we will deal with the incompatibility between log file formats by converting Windows Event log messages into a Syslog format and then send them to a Syslog server. The server is also capable of receiving Syslog messages from a Linux-based log message collector.
Both of these utilities run on the following operating systems:
- Windows Server 2016
- Windows Server 2012 and 2012 R2
- Windows 10
- Windows 8.1
- Windows 8
The Event Log Forwarder will also run on these Windows versions:
- Windows 7 and Windows 7 SP1
- Windows Server 2008, 2008 SP2, 2008 R2, and 2008 R2 SP1 *
- Windows Server 2003 R2 SP2 *
Let’s get on and install these two software packages.
Install SolarWinds Event Log Forwarder for Windows
The Event Log Forwarder is available for free download at the SolarWinds website. It needs to be installed on each computer from which you want to collect Event log messages. Click on the Download button to access the page.
SolarWinds Event Log Forwarder for Windows
Download 100% FREE Tool
Fill in the contact details form on the download access page and then press the Proceed to Free Download button.
You will be offered a free 30-day free trial of the SolarWinds Log Analyzer. Whether you choose this offer or not, the next screen gives you a download link in the form of a button, labeled Download Now.
Click on the button to get the download, which is a zipped folder. When the download completes, open the folder. Extract the files from the zip container.
Double-click on the second item in the folder, which is an installer. Windows will ask you for permission to run the file. Press OK. This will launch an installation wizard. Accept the Terms and Conditions and cycle through the installation stages by clicking on the Next button. Press the Finish button on the last page of the installer.
Set up the Event Log Forwarder
Once the installer closes, open the Event Log Forwarder by clicking on its entry in the Start menu or its icon on your Desktop. Windows will ask you for permission before the service opens.
The Dashboard for the system has a large blank panel in it when you first run it.
Specify Event collection parameters
In order to get the collector running, you need to add a type of message for it to capture.
Click on the Add button at the top of the display panel.
The Event type selection screen enables you to filter the events that will get forwarded to the Syslog server. This will cut down on traffic. However, if you are gathering log records to be used by a SIEM system, you might be required to send all events.
As you select filters for the messages, you can see the records that your setup will capture by pressing the Show preview of matching event records button, which is underneath the left panel on the screen.
There are three ways to select the types of log records that will be collected. The first lies with the specification of the sources of log messages that you would like to collect. This is enabled through a hierarchy structure shown on the left panel of the screen. Check the box at the root of the hierarchy to select all events. This filtering method can be refined through a drop-down list of event sources. This is a list of subcategories of the systems you selected in the left-hand panel.
The second filtering option is at the top of the main panel of the Add screen. This allows you to select the severity of events that you want to collect. The options here are to collect messages with the level of Error, Warning, and Information.
The third method for filtering allows you to specify task categories, user accounts, or computers to extract log records for. The Task Category option is a little obscure because it works on a list of IDs. So, you would need to know the identifiers of each of the specific categories you want to collect log records for in order to use this feature meaningfully. The selection of these Task Categories is through a drop-down list that has all of the categories checked by default. This list only gets populated after you have selected event sources in the left-hand panel.
It is also possible to use task category IDs in the Include or Exclude Event field above the Task Category drop-down list. If you want to capture all events except for a given list, put a minus sign in front of the ID for each event type.
After completing the event source selection, click on the Next button to proceed. This takes you to the Define Priority screen.
Select the Default Syslog Facility that the event records will be forwarded to the syslog server(s). This value, together with the Event Type on each message is used to generate the Priority value that will be added into each record when it is converted into the Syslog standard.
Click on the Finish button to return to the main screen.
You will now see an entry in the main detail panel of the Home screen in the Dashboard.
Specify a Syslog server
The next step is to tell the Event Log Forwarder where to send its converted event logs. Click on the Syslog Servers tab at the top of the main panel on the Home screen. Click on the Add button to proceed.
In the Add Syslog Server screen, enter the IP address of the host of the Syslog server utility. If you subscribe to a SaaS system for logfile consolidation, you should put in the IP address given to you in the setup guide for that service. If you will be using an installed Syslog server, put in the IP address of the computer that you installed it on – or intend to install it on. Leave the Port and Protocol fields as they are because these are industry standard values.
The Server Name field gives you an opportunity to put your own label on this Syslog server record, in case you set up several servers. If you only have one, the name you choose doesn’t matter too much because you won’t need to distinguish between the records that will appear in the Syslog Server section of the Home screen on the Dashboard.
Press the Create button to return to the main screen of the Dashboard.
Check the settings of Event Log Forwarder
In the main screen of the Event Log Forwarder, click on the Test tab in order to check whether the setup of the collector has been performed correctly. Select an event type in the Event logs you wish to add a test event to: drop-down list. Select the All option. Select an event type in the second field, such as Warning.
Click on the Create a test event button to run the test. You should see a success or failure notification.
Use a Syslog server
Now the setup of your Event log forwarder is complete. However, you will also need to set up a Syslog server in order to benefit from this message forwarding system. We recommend using the Kiwi Syslog Server Free Edition, which you can download from the SolarWinds website.
SolarWinds Kiwi Syslog Server Free Edition
Download
In order to download this server, you need to fill in a form, which is the same as the form you filled in to get the Event Log Forwarder.
Download the service, unzip the download container and run the install Wizard to get the Syslog server on your host.
In order to test whether the Syslog Server is set up correctly, go back to the Event Log Forwarder and run a test. With the Kiwi Syslog Server operational, you should see a test message appear in the Syslog Server dashboard.
If you are in the market for a full package of system and network administration tools, you could consider the Small Business Network Management Bundle. This includes the Kiwi Syslog Server as well as Kiwi CatTools, which helps you manage backups from network device configurations. You also get a Network Topology Mapper with this package. Finally, the group of software provides the Engineer’s Toolset, which contains more than 60 system and network administration tools in one console. Take a look at the Small Business Network Management Bundle with a 14-day free trial.
SolarWinds Small Business Network Management Bundle
Start a 14-day FREE Trial