This is one of the common ask questions, as due to the fact network device default syslog, but for Windows machine (server, workstation or desktop) is default Windows Event Log.
So for most of the customer intent to achieve log consolidation, it is no practical to keep one box for network device in syslog, and another box in windows event log. Depend on the actual final intent for what the purpose. Some is just require forwarding windows event log and keep into syslog server, but other is intent to achieve “normalization” and make windows event log become syslog format for easy log correlation and analysis, typical security information and event management (SIEM) need.
For translation windows event log to syslog, had both commercial and freeware way to accomplish it. Both did require install the agent into windows machine.
Below will be explain how to accomplish it with the freeware manner.
Make use of Event Log Forwarder for Windows, it is Freeware and can be install into windows automatically forward Windows event logs as syslog messages to any syslog service.
- It Forward Windows events based on event source, event ID, users, computers, and keywords in the event to your syslog server in order to take further action.
- Key benefits for doing that:
- Quickly specify and automatically send events from workstations and servers
- Export event data from Windows servers and workstations
- Specify events to forward by source, type ID, and keywords
- Forward events to external systems to alert, store, and audit activity
- Send events to multiple servers over UDP or TCP
It can be used to send syslog messages to NPM Server or Kiwi Syslog Server.
Event Log Forwarder for Windows can run on the following Windows operating system versions (both x86 and x64 editions are supported):
- Windows 10
- Windows 8 | Windows 8.1
- Windows 7 | Windows 7 SP1
- Windows Server 2016
- Windows Server 2012 | 2012 R2
- Windows Server 2008 | 2008 SP2 | 2008 R2 | 2008 R2 SP1 *
- Windows Server 2003 R2 SP2 *
Event Log Forwarder for Windows is a tool that runs on a Windows system, forwarding event log records to a Syslog Server via User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).
Event Log Forwarder for Windows comprises of two standard application executables (.exe):
- The Service (
- The User Interface (
Event Log Forwarder for Windows Service is named “SolarWinds Event Log Forwarder for Windows” and is installed and started during the installation process. To check or to manage Event Log Forwarder for Windows Service (start, stop, restart etc.) is via Windows Services manager or Windows command prompt:
Net Start "ServiceName".
The Event Log Forwarder for Windows User Interface (UI) allows you to configure the Service, can (depending on which options were selected during installation) be opened using the SolarWinds Event Log Forwarder for Windows desktop shortcut item, the Quicklaunch item, or from the SolarWinds Event Log Forwarder for Windows Program group accessible from the Windows Start button.
Event Log Forwarder for Windows supports forwarding of both Windows Eventing 5 and 6 event records.
- Windows eventing 5 Event Log records – > Windows O/S versions prior to Windows Vista and Windows Server 2008
- Windows eventing 6 (“Crimson”) Windows Event Log records – > versions of Windows based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008, 2012)