Event Log Forwarding (Windows) to Syslog
Last Updated : 02/06/2023
Event log forwarding is a good way to consolidate all event logs in a central location or to a central server (Syslog, etc.) to reduce the hassle of logging into every server and checking logs individually. There are several ways of accomplishing this task in your windows environment, either natively using WinRM and powershell commands or using software that will automatically configure all aspects of forwarding for you. We'll go over the basics of forwarding via a software solution.
A couple benefits to forward event logs in windows are as follows:
- Specify Certain Events to be Forwarded by ID, source, Type or whatever other parameter you would like to specify.
- Store Events for Auditing purposes.
- Consolidate and Filter Events in One Location/Server.
Before you start:
Grab a Free copy of Kiwi Syslog server and install it on the machine you would like to dedicate to Syslog.
Related Post: What Is Syslog
Now lets install the FREE software utility provided by Solarwinds called “Event Log Forwarder for Windows“. Lets grab the download from HERE and get it installed on all Windows Servers you want to Forward event logs from.
After installation is finished and you've started the Application, you will see the main screen as highlighted below:
Now select ADD button and select which Event logs you would like to forward to your Syslog server.
You also have the option to dial down into Event Sources, Specify with Events to Exclude/Include, Keywords to filter by, Users or Computers to filter. You can filter by Multiple parameters on this screen.
Now click NEXT to move onto the next Screen to finish up the process.
Add Syslog Server
Now that you've setup the forwarding feature, we'll need to specify the Syslog server that we want to send event logs to.
Click on the “Syslog Servers” tab and click the “Add” button to specify an IP Address, Port and other pertinent information regardless you syslog server as seen below:
Now that you've added your syslog server information, if needed, you may also send some Test events using the “TEST” tab at the top to ensure everything is configured properly.
This utility should be installed on all your Windows servers that you would like to forward event logs to a Syslog server. It has a small-footprint and runs silently in the system tray without much user intervention needed.
Kiwi Syslog Server FREE EditionDownload Kiwi Syslog Server
Event Log Forwarder Utility FREEDownload Event Log Forwarder Utility
Event Log Forwarding FAQs
How does Event Log Forwarding work?
Event Log Forwarding works by using the Windows Remote Management (WinRM) protocol to send event logs from the source server to the collector server.
What are the benefits of using Event Log Forwarding?
The benefits of using Event Log Forwarding include: centralized event log management, improved security and auditability, and reduced disk space usage on the source server.
What types of events can be forwarded using Event Log Forwarding?
Event Log Forwarding can be used to forward events from various logs including: Application, System, Security, and custom logs.
How do you configure Event Log Forwarding in Windows Server?
Event Log Forwarding can be configured in Windows Server through the use of Group Policy, the command line, or through the GUI.
Is Event Log Forwarding secure?
Yes, Event Log Forwarding is secure, as it uses the secure WinRM protocol to send event logs between servers.
What are the limitations of Event Log Forwarding?
The limitations of Event Log Forwarding include: increased network traffic, increased CPU usage on the collector server, and potential security risks if the configuration is not done properly.
Can Event Log Forwarding be used with other operating systems besides Windows Server?
No, Event Log Forwarding is a feature specific to Windows Server and is not available in other operating systems. However, other methods exist for collecting and sending log information on different platforms.
Download Kiwi Syslog Server