Collecting logs from Windows using syslog-ng

Normally I cover free and open-source software in the syslog-ng blog. But recently quite a few members of the community reached out to me and asked about collecting logs from Windows. So, I prepared a quick overview of the topic. The good news is, that syslog-ng supports collecting logs from Windows in multiple ways. The not so good news is that Windows support is only available in the commercial version of syslog-ng.

There are multiple ways for collecting log messages from Windows. You can either install syslog-ng agents on Windows hosts, or you can use the Windows Event Collector (WEC) component of syslog-ng PE.

Note, that a third version was also available for a while but discontinued due to lack of users: running a syslog-ng server on Windows.

Syslog-ng agent for Windows

Windows support was originally added in the form of syslog-ng agent for Windows. If you want to read logs from files instead of relying purely on Windows eventlog, then you need to use syslog-ng agent for Windows. As its name implies, the agent is using the syslog protocol to forward log messages from a Windows host.

There are many ways to configure the application. By default, you can use an MMC snap-in to configure the syslog-ng agent for Windows. On larger installations it is also possible to configure the agent through an XML file or through domain group policy.

The drawback of using the syslog-ng agent for Windows is that it is yet another application to push through security and operations teams and install on each of your hosts. If all you need is collecting Windows eventlog then Windows Event Collector is a good alternative.

Windows Event Collector

WEC first appeared as part of the syslog-ng PE 7.0.6 release. It can collect Windows eventlog messages pushed through encrypted HTTP messages to the Windows Event Collector. As you can see, forwarding logs from text files is not supported, only Windows eventlog. On the other hand this also means that there is no need to install anything on Windows hosts. WEC is an optional component of syslog-ng PE running on Linux. It is installed as part of syslog-ng PE but you need to configure and enable it separately.


WEC collects log messages in XML format and forwards them to syslog-ng PE through a socket. The XML parser of syslog-ng then turns the log messages into name-value pairs. Once you have name-value pairs it is a lot easier to filter log messages and save selected fields into your database.

WEC clustering

Starting with the latest version of syslog-ng PE you can also enable WEC clustering. Using multiple WEC instances was an option earlier as well,but starting with syslog-ng PE 7.0.23 WEC can also collect eventlog forwarded through a load balancer. This helps with any scalability issues you might encounter when using WEC with a large number of endpoints.

wec clustering

Related Content