Windows Events to Syslog

The Problem

My Syslog server is up and running. We now have all our network devices and Linux/Unix like servers sending their events to the Dude’s Syslog server. But what about Microsoft Windows Servers? Microsoft’s products do not have native support for Syslog.

Up to this point I have gone through the event logs manually.  I’ve considered using Hyena, an application that I’ve used in the past to monitor windows hosts’ logs but I want to do this for free.  Besides, the only systems that I am monitoring right now are the servers and VM’s in the computer room.  I’d like to start monitoring all of my client PCs as well.  It would be better if I can kill all these birds with one stone.

The Solution

After Googling for “windows event to syslog”, I found several free softwares that convert Microsoft Windows Event Viewer logs into Syslog format and send it over to my Syslog server.  The one that I installed is called Datagram SyslogAgent and can be downloaded for free here:

Downloading and installing the service was a snap.  Configuring it took a little bit of research.  There were some options to filter out specific EventID’s.  You can use filter option, to filter out the unwanted events from your hosts, from getting stored in the database. By this you can save the hard drive space and clutter.  For example, if you want to reject/ filter out the events with the Event ID 1001, enter 1001 in the “Filter out these EventIDs”.

I looked at my event viewer for useless events with high volume.  Here is the list of events that I chose to filter out for my servers sending to syslog:

  • 2,3,4: Printer set, deletions, and purges from TS
  • 10: Print jobs
  • 8003: Browser elections
  • 672,673,674: Logoff/Logon and ticket renewals (I kept 680’s)

Hoping to find a list of interesting events, I ran across this page:

It’s too bad I can’t specify the service to send only these events to my syslog server.  I guess I can’t get everything for free.

Windows text log files to SysLog

Now that I have my Event Log setup to go to syslog working well, I started playing around with some of the other features of this service.  What I found was that the service can also take a text file log and convert it to syslog.  We always seem to have trouble with DHCP issues on our network.  Not so much that the DHCP server isn’t working, but we like to research what MAC addresses are requesting which address.  This is mainly because of the VPN’s that connect and disconnect throughout the day.  I constantly have to open and close the log text files in c:\windows\system32\dhcp to get the latest updates (Microsoft doesn’t have a ‘tail -f’ equivalent).

Setting up dhcp for logging was a little tricky.  Because the DHCP server stores the database and log files in the same directory (c:\windows\system32\dhcp) the database log file and the log files themselves use the same extensions: .log.  The files are rotated using a naming convention: DhcpSrvLog-[day].log.  The SyslogAgent looks in a directory for everything ending with an extension, timestamped files, specific files, or a rotated file.  First, I had to move the DHCP server’s log files into another directory.  I chose c:\windows\system32\dhcp\logs.  Reconfiguring Microsoft’s DHCP server was also easily done my right-clicking on the server in the MMC, selecting the Advanced tab and changing the “Audit log file path” to my new log location.

After restarting the DHCP server, I checked my new log location to see if there were any files being written.  Yep, there they are!  Setting up the Syslog Agent, I chose the timestamped file option and specified the new DHCP log file directory.  I also noticed that each DHCP log file contained the following 30 lines of text:

Microsoft DHCP Service Activity Log

Event ID  Meaning
00        The log was started.
01        The log was stopped.
02        The log was temporarily paused due to low disk space.
10        A new IP address was leased to a client.
11        A lease was renewed by a client.
12        A lease was released by a client.
13        An IP address was found to be in use on the network.
14        A lease request could not be satisfied because the scope's
 address pool was exhausted.
15        A lease was denied.
16        A lease was deleted.
17        A lease was expired.
20        A BOOTP address was leased to a client.
21        A dynamic BOOTP address was leased to a client.
22        A BOOTP request could not be satisfied because the scope's
 address pool for BOOTP was exhausted.
23        A BOOTP IP address was deleted after checking to see it was
 not in use.
24        IP address cleanup operation has began.
25        IP address cleanup statistics.
30        DNS update request to the named DNS server
31        DNS update failed
32        DNS update successful
50+       Codes above 50 are used for Rogue Server Detection information.

ID,Date,Time,Description,IP Address,Host Name,MAC Address

This extra text is nice if I want to peruse the file manually; however, I don’t want this header to spit out on my syslog every day.  There’s an option to ignore the first lines of text in each log file in the agent.  I put “30” here to cut this out.

Now my syslog is working great.  I setup a new log file called “Windows Events” in the Dude’s Syslog to filter out these interesting windows syslog events and separate the already configured network events from the Microsoft system events.  Now, I can setup notifications for when I get a regex for something like “DRIVE FULL” instead of waiting for a user to call me about a problem with their PC!


5 Comments on “Windows Events to Syslog”

  1. […] my last post I described how to configure windows events to syslog using a free application called SyslogAgent. When I showed Ben he thought it was really cool.  […]

  2. itcoop says:

    My DHCP logging service stopped working after the logs built up past two days. To fix it, scheduled the following task to move the logs one directory up every day:

    forfile /d -1 /c “CMD /C move /Y @FILE ..\”

    start in c:\windows\system32\dhcp\logs

    This cleared things up…

  3. itcoop says:

    I run a lot of scheduled commands to make my job easier. The bad thing about the Windows command scheduler is that there are no status codes outside of the exit errorlevel. I found out that if I made this syslogagent monitor a text file and append messages to this text file via other batch processes, I get my “running log”.

    So, say I’m backing up a database using an NTBackup cmd script. At the end of the batch file, I’d put the following line:

    echo Mailserver Backup Complete >> c:\scripts\scripts.log

    Setup the syslogagent software to monitor this file the same way noted above on setting up the DHCP log except make it monitor a specific file c:\scripts\scripts.log The application name can be used as a regexp match in The Dude if you want to make the matches go elsewhere.


  4. CypherBit says:

    Any reason why you’re not using Event Subscribtions, not “newer” servers?

    The benefit I see here is text file support, but the drawback is installing something on all the servers. Could you provide your reasons?

    • itcoop says:

      Why? Mainly I use it because Microsoft’s products do not have native support for Syslog. I’m a fan of centralizing the logs; I’m also a fan of using a similar method to accomplish this task for all my application servers.

      Just about every piece of networking gear, *nix, mac, NOS, OS, IOS, etc. use syslog as the method of log transport. I’ll admit that I’ve never used event subscriptions. They look interesting; however, it’s not syslog, they’re not exactly native, and they do not offer retro support for all MS OS. With syslog, I get a centralized logging method for every product I support.

      As far as using newer servers go, this is the main reason why I virtualized. I support a lot of older servers because the applications they are running don’t require a cutting-edge O$. Being that the OS is virtualized, the OS license can run forever in a VM. The risks of doing this are well known and easily mitigated. One simple application of mine is running on Windows 2000 Pro; it hasn’t been rebooted for 439 days.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s