| Sending Windows Logs to Remote SyslogKrazyWorks

Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Security

Sending Windows Logs to Remote Syslog

Submitted by Igor on July 6, 2019 – 11:21 am

Nothing fancy here: just a quick note on directing Windows event logs and select application logs to a remote syslog server.

For a Unix admin, searching Windows logs is a frustrating experience. Just looking at the event viewer GUI hurts my eyes. One option is to redirect those logs to a Unix-based remote syslog collector.

Download and install Nxlog version appropriate for your OS here. Download the nxlog.conf here and edit a couple of things:

# Replace
define ROOT C:\Program Files (x86)\nxlog
# with where nxlog is actually installed

# Replace 
Module om_udp
Host 192.168.122.137
Port 514
# with the correct Protocol/IP/port of your rsyslog server

# Replace the <Input watchfile> and <Input watchfile2> 
# entries with the actual application log files you want
# to monitor.

When done editing nxlog.conf, don’t forget to restart the nxlog service from the Services control panel.

It is easier to find the application logs of interest by using the Linux subsystem for Windows. I have Kali Linux installed. Type this command in the terminal window to locate recently-modified application *.log files.

find "/mnt/c/Program Files"* -type f -name "*.log" -mtime -30 2>/dev/null | sed -e 's@/mnt/@@g' -e 's@^c@C:@g' -e 's@\/@\\@g'

Then use these paths to add new <Input_watchfile#> sections to the nxlog.conf file. Once again, don’t forget to restart the nxlog service after editing the config file.

On your rsyslog server you will then be able to see stuff like:

Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Successfully completed the Group Policy Service initialization phase.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: The Group Policy Client service is currently configured as a shared service.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Initializing and reading current service configuration for the Group Policy Client service.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Initializing service instance state to detect previous instances of the service.