Convert windows logs to syslog

Both Unix, Linux, FreeBSD, Ubuntu, routers, and switches generate a large number of logs, which generally exist in the form of syslog. In RFC 3164, syslog is defined as a log protocol. The size of a SYSLOG data packet is 1024 bytes, including the facility, severity, hostname, timestamp, and message information. The syslog server uses UDP port 514 by default. To put it simply, syslog can tell the Administrator: WHO (facility), what time (timestamp), where (hostname) has done what (Message ), and the importance of this event (severity ).

Who is the facility in Syslog? It can be the kernel of the operating system, mail service, web server, printer, etc. RFC 3164 uses numbers to indicate different facility, of which 16-18 can be customized (for example, Cisco uses local4 to send the syslog of the PIX Firewall and local7 to send the syslog of the 3000vpn concentrator ), the details are as follows:

Integer facility

0 kernel messages

1 user-level messages

2 Mail System

3 system daemons

4 Security/authorization messages

5 messages generated internally by syslogd

6 line printer Subsystem

7 network news Subsystem

8 uucp Subsystem

9 Clock daemon

10 Security/authorization messages

11 FTP daemon

12 NTP Subsystem

13 log audit

14 Log alert

15 Clock daemon

16 local use 0(Local0)

17 local use 1(Local1)

18 local use 2(Local2)

19 local use 3(Local3)

20 local use 4(Local4)

21 local use 5(Local5)

22 local use 6(Local6)

23 local use 7(Local7)

The severity in Syslog indicates the importance of the event, as shown in the following figure.

Integer severity

0 emergency: system is unusable.

1 alert: action must be taken immediately.

2 critical: critical conditions.

3 error: error conditions.

4 warning: warning conditions.

5 notice: normal but significant condition.

6 informational: informational messages.

7 Debug: Debug-level messages.

Windows has its own Log protocol called event log. Why not set up a central syslog server to accept logs sent from all windows, Linux, network devices, and so on? In this way, you can easily manage all the logs on a log server.

The Windows operating system can generate a lot of logs, such as every USB flash drives or service restart. These logs are recorded in the operating system. If we want to centrally manage them, what should I do? Windows does not support sending logs to the syslog server, but we cannot?

Evtsys is written in C.ProgramTo Send Windows logs to the syslog server. It supports Windows Vista and Server 2008, and supports 32-bit and 64-bit environments after compilation. Designed for high-load servers, evtsys is fast, lightweight, and efficient. And can exist as a Windows service.

Http://code.google.com/p/eventlog-to-syslog/ to view and get the latest updates. It is commendable that the program only has dozens of KB!
Download evtsys and copy it to the system directory. The windows \ system32 directory is under XP. Then run the following command in cmd:

Evtsys.exe-I-H 192.168.1.101-P 514

This is a standard format and can be simplified:

Evtsys-I-H 192.168.1.101

Parameter description:
I is installed as the window service;
H is the syslog server address;
P is the receiving port of the syslog server.
By default, the port can be omitted. The default value is 514.
Run the following command to start the evtsys service:

Net start evtsys

View the "service" of windows and find that an "EventLog to syslog" is added under the original Event Log service and has been started.

Open the windows Group Policy Editor (START-> Run and enter gpedit. MSC)

Go to Windows Settings> Security Settings> Local Policies> Audit Policy to open the windows logs you need to record. Evtsys checks whether a new Windows Log is generated in real time, converts the new log to a recognizable syslogd format, and sends it to the syslogd server through UDP port 3072.

Another tool is snare. snare for Windows is a Windows tool that makes it easy for you to handle windows (NT/2000/XP/2003, etc., and supports 64-bit systems) event Logs are forwarded to the syslog server program in real time. Whether it is a 32-bit or 64-bit system, there is only one installation package. You can also configure the silent installation mode. Of course, you need to go to the document.

Snare supports security logs, application logs, and system logs, as well as DNS, File Replication Services, and Active Directory logs.

Download: http://sourceforge.net/projects/snare/files/Snare%20for%20Windows/

Configuration: The downloaded file is snareforwindows-4.x.x.x-multiarch.exe. Basically, you only need to install it next. In the Start menu, there are three sub-items under intersect Alliance:

Disable remote access to snare for Windows: Disable remote management of snare

Restore remote access to snare for Windows: restore remote management of snare

Snare for Windows: Program configuration page. Open http: // localhost: 6161/address in the browser and select the network configuration option in the left-side menu.

Free WhatsUp syslog server-where is the syslog server free of charge? Here !!

Syslog daemon for Windows Eventlog