Windows Events to SyslogPosted: December 2, 2010
My Syslog server is up and running. We now have all our network devices and Linux/Unix like servers sending their events to the Dude’s Syslog server. But what about Microsoft Windows Servers? Microsoft’s products do not have native support for Syslog.
Up to this point I have gone through the event logs manually. I’ve considered using Hyena, an application that I’ve used in the past to monitor windows hosts’ logs but I want to do this for free. Besides, the only systems that I am monitoring right now are the servers and VM’s in the computer room. I’d like to start monitoring all of my client PCs as well. It would be better if I can kill all these birds with one stone.
After Googling for “windows event to syslog”, I found several free softwares that convert Microsoft Windows Event Viewer logs into Syslog format and send it over to my Syslog server. The one that I installed is called Datagram SyslogAgent and can be downloaded for free here:
Downloading and installing the service was a snap. Configuring it took a little bit of research. There were some options to filter out specific EventID’s. You can use filter option, to filter out the unwanted events from your hosts, from getting stored in the database. By this you can save the hard drive space and clutter. For example, if you want to reject/ filter out the events with the Event ID 1001, enter 1001 in the “Filter out these EventIDs”.
I looked at my event viewer for useless events with high volume. Here is the list of events that I chose to filter out for my servers sending to syslog:
- 2,3,4: Printer set, deletions, and purges from TS
- 10: Print jobs
- 8003: Browser elections
- 672,673,674: Logoff/Logon and ticket renewals (I kept 680’s)
Hoping to find a list of interesting events, I ran across this page:
It’s too bad I can’t specify the service to send only these events to my syslog server. I guess I can’t get everything for free.
Now that I have my Event Log setup to go to syslog working well, I started playing around with some of the other features of this service. What I found was that the service can also take a text file log and convert it to syslog. We always seem to have trouble with DHCP issues on our network. Not so much that the DHCP server isn’t working, but we like to research what MAC addresses are requesting which address. This is mainly because of the VPN’s that connect and disconnect throughout the day. I constantly have to open and close the log text files in c:\windows\system32\dhcp to get the latest updates (Microsoft doesn’t have a ‘tail -f’ equivalent).
Setting up dhcp for logging was a little tricky. Because the DHCP server stores the database and log files in the same directory (c:\windows\system32\dhcp) the database log file and the log files themselves use the same extensions: .log. The files are rotated using a naming convention: DhcpSrvLog-[day].log. The SyslogAgent looks in a directory for everything ending with an extension, timestamped files, specific files, or a rotated file. First, I had to move the DHCP server’s log files into another directory. I chose c:\windows\system32\dhcp\logs. Reconfiguring Microsoft’s DHCP server was also easily done my right-clicking on the server in the MMC, selecting the Advanced tab and changing the “Audit log file path” to my new log location.
After restarting the DHCP server, I checked my new log location to see if there were any files being written. Yep, there they are! Setting up the Syslog Agent, I chose the timestamped file option and specified the new DHCP log file directory. I also noticed that each DHCP log file contained the following 30 lines of text:
Microsoft DHCP Service Activity Log Event ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server 31 DNS update failed 32 DNS update successful 50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address
This extra text is nice if I want to peruse the file manually; however, I don’t want this header to spit out on my syslog every day. There’s an option to ignore the first lines of text in each log file in the agent. I put “30” here to cut this out.
Now my syslog is working great. I setup a new log file called “Windows Events” in the Dude’s Syslog to filter out these interesting windows syslog events and separate the already configured network events from the Microsoft system events. Now, I can setup notifications for when I get a regex for something like “DRIVE FULL” instead of waiting for a user to call me about a problem with their PC!