2

In Windows, I am using the "Eventlog to Syslog" utility to send event logs to the Linux syslog server (syslog-ng). But I am can't do the same with some log files, especially in the case of the IIS log.

Why is it impossible with the named tool?

How could I send these log files to the syslog server using the eventlog to syslog utility?

peterh
  • 4,953
  • 13
  • 30
  • 44
Arun
  • 83
  • 1
  • 3
  • 12

1 Answers1

5

I use nxlog for this, which ends up sending Windows event logs, IIS logs, Exchange logs, and more to (in my case) a central nxlog server where it gets written to files and send to an ELK stack. Its free, native and multiplatform, so we use it on Windows and Linux. It can send over TLS too, and can send using JSON if you want.

http://nxlog-ce.sourceforge.net/

Cameron Kerr
  • 4,069
  • 19
  • 25
  • the Linux Syslog server I am using is Syslog-ng, so would it be better to use the same syslog server windows agent,in this case, windows syslog-ng agent – Arun May 08 '15 at 04:37
  • No, as you will lose a lot of information. You can gain a lot by exporting logs uniformly as JSON. – Cameron Kerr May 08 '15 at 07:12
  • Is it possible to use nxlog in windows and forward the logs to linux syslog-ng server, as in my case its difficult to change the syslog-ng servers in linux. – Arun May 15 '15 at 05:14
  • Yes, you can. But what then? You may find that there is a pile of poorly structured log data. You may like to convert the format first to something that can be usefully flattened, such as JSON – Cameron Kerr May 15 '15 at 05:16
  • New to this logging environment and tools, hence lots of doubt. To be clear 1) In the input module of nxlog format/parse the logs to JSON. 2) In output module provide the syslog-ng server info 3) In Route forward the input to output. Correct me if I'm wrong Cameron – Arun May 15 '15 at 06:30
  • In input you read from the windows event log and do any parsing (adding fields etc). I suggest you do your conversion to JSON in your output, then to syslog. – Cameron Kerr May 15 '15 at 07:52
  • Took a while for me to configure and check. It was working fine the logs were forwarded to the syslog server in the required format. Appreciate the guidance provided Cameron Kerr – Arun May 19 '15 at 06:46
  • You should put a filter in place to configure which messages you want sent. Will be rather high volume otherwise. – Cameron Kerr May 19 '15 at 07:07
  • Using nxlog 'im_mseventlog' module I'm able to forward all Windows Logs (Application, Security, System... ) logs to the remote syslog server. But I'm not able to forward eventlogs present under 'Application and Service Logs -> Microsoft -> Windows -> Windows Firewall with Advanced Security Logs' to the syslog server using nxlog. Is there any module to forward those event logs – Arun Jul 09 '15 at 06:49