In order to send events from a Windows device to a remote syslog server like Log Insight, you need a syslog agent. Windows does not natively support syslog. The good news is that several syslog agents for Windows exist. I would like to cover my considerations and recommendations for a syslog agent on Windows.
UPDATE: As of Log Insight 2.0, Log Insight offers a free Windows agent that supports the syslog protocol and Log Insight’s ingestion API. For more information see these posts.
Introduction
Windows does not natively support syslog. Instead, Windows comes with the Windows Event Log, henceforth referred to as eventlog, which is used primarily by Microsoft products as well as events with priority of warning or higher. While non-Microsoft applications may leverage the eventlog, it is common for non-Microsoft applications to log to a directory within the file system. Several third party syslog agents exist to allow syslog functionality on Windows. When selecting a syslog agent for Windows it is important understand the requirements beforehand. I often see people recommending syslog agents that are only capable of handling eventlog messages. An example of such an agent is eventlog-to-syslog. While collecting eventlog messages are important, they are often not sufficient for complete troubleshooting and root cause analysis of issues within an environment. Using VMware vCenter Server as an example, vCenter Server logs separately from the eventlog. My recommendation is to go with a syslog agent that is capable of handling both eventlog and log files.
Cygwin: Syslog-NG
Introduction
Cygwin allows for Linux applications to be run inside of Windows. Since Cygwin allows Linux to be run in Windows this means that Linux syslog agents can be run in Windows. Currently, syslog-ng is supported through this process. Rsyslog is not supported due to library constraints, however rsyslog does have a separate Windows agent available here: http://www.rsyslog.com/windows-agent/.
Installation
- Download Cygwin here: http://www.cygwin.com/install.html
- Go through the installation process taking all the defaults until you get to Select Packages
- Under Select Packages enter syslog-ng in the search box then select both items returned
- Finish installation process taking defaults
Configuration
See my post here: https://sflanders.net/2013/10/22/syslog-agents-linux/
Other Information
Pros
- Supports the same configuration of Syslog-NG used on Linux
- Free to use
Cons
- Running Linux in Windows
- Security concerns
- Windows administrators may not know Linux
- No GUI interface
- Does not easily support monitoring directory of files
Misc
For an example of how to configure Cygwin to forward vCenter Server events on Windows see: http://www.virtuallyghetto.com/2012/08/forwarding-vcenter-server-logs-to.html
Datagram
Introduction
From Datagram SyslogAgent:
SyslogAgent is a Windows add-on, allowing Windows EventLog events as well as other Windows applications logs to be sent to a syslog server. SyslogAgent is installed as a transparent service on Windows.
Installation
- Download the agent available here: http://www.syslogserver.com/download.html
Configuration
- Configure the hostname, IP address and UDP port of the remote collection server
- Configure eventlogs to forward
- Configure application logs to forward
Other Information
Pros
- Native Windows support
- GUI-based
- Can monitor directories of files
- No other dependencies
Cons
- No longer supported
- UDP is only supported protocol in free version (TCP can be enabled, see below)
Misc
Big thanks to my colleague Stan Dorsett for pointing out an way to get TCP support:
- Close “SyslogAgentConfig.exe”
- Go to Start Run in the windows Start Menu and type regedit and click OK.
- Navigate to HKEY_LOCAL_MACHINE / SOFTWARE / Datagram / SyslogAgent and single click on SyslogAgent folder. To the right you will see registry keys.
- Double click on “TCPDelivery” and change the 00 on the right of the value to 01. Then click ok.
- Close the regedit window and go back to the “SyslogAgentConfig.exe” and open it again. You will notice the UDP options are now not enabled. ***DO NOT CLICK ON THEM***.
More information about the agent can be found here: http://www.syslogserver.com/Datagram%20SyslogAgent%20manual.pdf
UPDATE: For a great tutorial on how to use Datagram, take a look at this post: http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-syslog-agent-windows-server-2012.html
InterSect Alliance: Snare, Epilog
Introduction
From InterSect Alliance:
InterSect Alliance International provides software and services in the area of Security Information and Event Management (SIEM). The ‘Snare’ range of collection, analysis, reporting and archival tools form a complete event logging and management ecosystem
Installation
- Snare: https://www.intersectalliance.com/wp-content/uploads/2014/03/Guide_to_Snare_for_Windows-4.2.pdf
- Epilog: https://www.intersectalliance.com/wp-content/uploads/2014/03/Guide_to_Snare_Epilog_for_Windows-1.7.pdf
Configuration
- Snare: http://localhost:6161/ (snare/<passwordDuringInstallation>)
- Epilog: http://localhost:6162/ (snare/<passwordDuringInstallation>)
- Configure the hostname, IP address and UDP port of the remote collection server
- Epilog: Specify what files to monitor
Other Information
Pros
- Native Windows support
- Supports wildcard file matching
- Real-time filtering of events
Cons
- Two separate clients for eventlog and standalone files
- Requires a web interface for easy configuration (installs with product) else modifying registry settings
- Cannot monitor directory of files (does support wildcard file matching)
- UDP only in free version
Misc
More information about the agents can be found here: http://www.intersectalliance.com/resources/index.html. An enterprise version of the agents exist that offer the following benefits:
Summary
While Windows does not natively support syslog, several free syslog agents are available and capable of providing the same level of functionality that syslog agents on Linux provide. Again, it is important to consider requirements when selecting a syslog agent and for Windows it is important to understand the event logs from application logs. If you are interested in a different Windows syslog agent, let me know in the comments!
UPDATE 2013-11-08: Thanks to a tip from my colleague Stan Dorsett, I learned that TCP can be enabled (though not documented so likely unsupported) on the Datagram syslog agent. Details in the Datagram section above.
UPDATE 2013-12-05: Updated information about Intersect Alliance.
UPDATE 2014-10-09: It has been brought to my attention that Syslog-NG now offers a free Windows agent. More information here.
© 2013 – 2021, Steve Flanders. All rights reserved.
I’d recommend taking a look at nxlog. It can pull logs from eventlog, files and more. Allows you to send in several formats not limited to UDP syslog only. It’s far more capable than any other agent I have come across so far. Already have it deployed on 130+ hosts.
Syslog-ng also has a native Windows agent, with AD based configuration.
True, though it requires the Enterprise version, right? So unfortunately not free.
Hi Steve – Appreciated this pointer, although I found the SyslogAgent reg key under \\HKLM\Software\WOW6432Node\Datagram\SyslogAgent
Thanks for the update — I suspect much has changed since this post was written 🙂
Apache MiNiFi is another full open source option.
Have not heard of this one — will check it out!