Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How to send eventlog from windows server to centralize rsyslog Linux server?

user-image
Question added by Mohd Montaser Islam , SENIOR DEVOPS ENGINEER , INUMENT SOLUTIONS LTD.
Date Posted: 2016/04/20
Deleted user
by Deleted user

using syslog agent on windows

Bisharat Akram
by Bisharat Akram , System Administrator , Logic Matrix Technologies

For my testing, I selected the free Datagram SyslogAgent. From the product page, I clicked the Download and then selected the Datagram Syslog Agent 64-bit download (don’t choose the Syslog Server at the top of the page). Note that you can either go to this webpage directly from the server where you want to install the syslog agent on or you can download it on your local computer and then transport it the Windows server via the network or USB key.

If you extract the 2MB Syslog file that you downloaded, there are a few files but the only three important files are the PDF user’s manual, the SyslogAgent configuration tool, and the SyslogAgent that you need to install on the server.

ImageFigure 1: SyslogAgent Installation Files

In the sense of a traditional Windows application install, there is not one for the SyslogAgent service. You just run the SyslogAgentConfig tool and click Install under the Service Status section at the top.

ImageFigure 2: Installing the SyslogAgent Service

This will create the Windows service for the SyslogAgent.

Before you get too excited and start the service, let’s first configure it.

The minimum configuration would be:

  • That the service is install
  • A syslog server IP and port are configured
  • That either event or application logs are selected to be sent to the syslog host (for whatever type of events and/or applications you choose)
  • And that the syslog agent service is started.

To select where the log data from your Windows host will be sent, enter the IP address of the syslog host, as you see in the graphic, Figure 2, above. In my case, the Log Insight syslog server’s IP address was 10.0.1.120 and we were using UDP port 514.

With this enabled, I checked the Event Logs option and selected what type of event logs I wanted. For system monitoring, I would recommend sending “system logs” but you are welcome to send any type of logs you want such as security logs for auditing purposes.

ImageFigure 3: Selecting the Event Logs to Send to the Syslog Host

Optionally, you can configure the application log events to forward and even customize their facility and severity, as you see in Figure 4.

ImageFigure 4: Customizing Facility and Severity

Optionally, you can choose to send events from specific Windows applications to the syslog host, even specifying the executable for the custom application (as you see at the bottom of Figure 2).

Once you’ve got it configured, click Start Service.

You are welcome to double check your Windows services to see that the SyslogAgent is added and running as you see below in Figure 5.

ImageFigure 5: SyslogAgent Running in Services

With the syslog agent running, let’s go check our syslog server to see if it is receiving messages from our Windows 2012 Server.

Testing Syslog with VMware vCenter Log Insight

Let’s assume that your syslog server was installed and is running fine, at the IP address you specified on the agent. In my case, I am using the new VMware vCenter Log Insight as my syslog host but there are numerous options.

Over on the vCenter Log Insight console, indeed, I was quickly able to identify syslog traffic coming from my Windows 2012 Server (with a DNS name of HV1).

ImageFigure 6: Windows Server Syslog Message on vCenter Log Insight

The graphic shows that the syslog server is reporting administrative user logins and logouts (at least in this part of the log) – something that would be very valuable for security audit purposes. Keep in mind that the syslog entries from Windows won’t just be security info. They’ll contain important system and application events as well.

More Questions Like This