How to use several common Windows log-syslog tools

With the rapid development of information technology, more and more devices in the network, and gradually we found that relying on traditional means to a table analysis equipment (routers, switches, firewalls, servers, databases, middleware, etc.) logs have seriously affected our work efficiency, and not the availability of business systems to provide protection. Always play the role of a fireman after a problem arises. Therefore, it is time for the operation of the log to centrally manage.

Key words: syslog log Management

As the first paragraph of the text said, there are many kinds of operation log, today we first said how to send the Windows log, after all, this is easy to start ... The ranger will write some text at the end of the service in the near future.

Windows operating system itself can generate a lot of logs, such as every time you plug a U disk, service restart, and so on, will generate logs, this information will be recorded in the operating system, but Windows does not like switches, Linux, with Syslog, The Windows system itself does not support forwarding, so if you want to collect Windows logs, you must install the agent. Use it to convert Windows system logs, security logs, application logs, and so on to syslog and forward to our server side.

OK, now we're talking about some of the common Windows log-syslog tools that Rangers have chosen for open source or free tools, so ... Use it with ease!

1.evtsys

1.1. Notes

Evtsys is a program written in C that provides a way to send Windows logs to a syslog server. It supports Windows Vista and Server 2008, and supports 32 and 64-bit environments. Evtsys is designed for high load servers, Evtsys fast, lightweight, and efficient. And can exist as a Windows service.

1.2. Download

Http://code.google.com/p/eventlog-to-syslog/downloads/list

1.3. Configure

Evtsys installation is to copy files, cmd Input command, but still more trouble, Ranger here with batch processing solution! Evtsys has two versions, the installation directory is different, here separate description:

1.3.1 32-bit system Evtsys installation

Copy Evtsys.exe c:\windows\system32\

Copy Evtsys.dll c:\windows\system32\

CD C:\Windows\System32

Evtsys.exe-i-H 192.168.1.41-p 514

net start Evtsys

1.3.2 64-bit system Evtsys installation

Copy Evtsys.exe c:\windows\SysWOW64\

Copy Evtsys.dll c:\windows\SysWOW64\

CD c:\windows\SysWOW64

Evtsys.exe-i-H 192.168.1.41-p 514

net start Evtsys

We can see that the 32-bit system is copying files to the c:\windows\system32\ directory, and to the C:\windows\SysWOW64\ directory under the 64-bit system. The middle of the 192.168.1.41 is the syslog server IP address, this should be adjusted according to actual needs, otherwise not receive Oh! 514 is the port number, also must not write wrong!

Of course, Evtsys also has some advanced usage, such as filtering log, please read its own instructions.

2.Snare

2.1. Notes

Snare for Windows is a program that makes it easy for you to forward windows (nt/2000/xp/2003, 64-bit system) event logs to the Syslog server in real time, and whether it's a 32-bit or 64-bit system with only one installation package, You can also configure the silent Install mode, which, of course, requires you to see the document yourself.

Snare supports security logs, application logs, and system logs, as well as DNS, File replication services, Active Directory (Active Directory) logs, and so on.

2.2. Download

http://sourceforge.net/projects/snare/files/Snare%20for%20Windows/

2.3. Configure

The downloaded file is Snareforwindows-4.x.x.x-multiarch.exe, which basically requires next to be installed. Then there are three subkeys under Intersect Alliance in the Start menu:

Disable remote Access to snare for Windows: preventing snare from being remotely managed

Restore remote Access to snare for Windows: Restore Snare

Snare for Windows: Program Configuration Interface, after selecting the http://localhost:6161/address in the browser, and then selecting the Network configuration option on the left menu:

One of the 192.168.1.41 is your syslog server IP address, 514 is the server's port number, other photos on the map to configure the OK. And then...... You will find that your Syslog server can receive a log of Windows Server! Very convenient.

3.NTsyslog

3.1. Notes

Ntsyslog is a free software, where you think it is a freeware or free software, all right!

Ntsyslog exists as a service in the Windows NT operating system. It formats all system, security, and application events into one line and sends it to the Syslog server.

3.2. Download

http://sourceforge.net/projects/ntsyslog/files/Installer/NTSyslog%201.15%20%28full%29/

3.3. Configure

Install not to say, all the way next can! After loading the desktop has a ntsyslogctrl-tool icon, click to run.

Point "Syslog daemons" writes to the address of the Syslog server:

Click the start service to begin to receive syslog!

This ranger has introduced several tools for converting Windows logs to syslog, and some readers may ask: What's the role? The ranger will continue to explain in the next article how these logs are used. Welcome attention to Www.youxia.org (Ranger safety net)!

This article is from the "Internet Ranger (Zhang Bachuang)" blog, please be sure to keep this source http://youxia.blog.51cto.com/45281/761050