Syslog clients for Windows

Central logging using syslog is long part of the UNIX / Linux infrastructure. But if someone also happens to have Windows machines, it is still possible to use the proven syslog-ng servers. There are many clients available, both open and closed source, ranging from simple event forwarders to complex logging solutions, including BalaBit’s own syslog-ng Agent for Windows.

 

Eventlog to syslog

“Eventlog to Syslog” is the simplest tool available to forward Windows events to a central syslog server. It was originally developed at Purdue University, but now is actively maintained in Google Code at http://code.google.com/p/eventlog-to-syslog/ by another university. It’s just two binaries and some documentation bundled in a zip file. There is no installer, one needs to copy the binaries to the system32 directory by hand. Configuration is done from the command line which modifies the registry.

There isn’t much to configure, just the host name of the syslog server and some basic filtering on what to send. There is no disc buffer, TCP support is just being added, so SSL is also not yet available.

Positive:

  • actively developed with large user base

 

Negative:

  • no TCP (and SSL) support
  • no installer or dedicated configuration interface

 

Snare

Snare Agent for Windows is one of the popular syslog clients for Windows. It has an installer and web based GUI for configuration, which make local and remote deployment and configuration possible. There are two editions of Snare, a free, GPL and a commercial version with more features, which is only available bundled with Snare Server.

The GPL version can transfer logs only using UDP, there is no encryption or disc buffer functionality. The commercial version has TCP and encryption support and is able to queue messages while the syslog server is unavailable due to maintenance or networking problems. Either version can only forward a hard coded lists of Windows events with basic filtering to syslog servers. It can’t deal with logs generated outside of the Windows eventlog system.

Snare Agent for Windows is available at: http://www.intersectalliance.com/projects/SnareWindows/index.html

Positive:

  • actively developed with large user base

 

Negative:

  • list of event sources is hard coded
  • many features are limited to the commercial version
  • features, even the output format varies depending on Windows version, which make integration with syslog-ng / patterndb difficult

 

Abandonwares

There are many syslog clients for Windows, which were actively developed once upon a time, but not any more. Some of these are still available, and could be valuable for those using older Windows releases.

Lasso

Project Lasso was developed by LogLogic until 2008. It supports Windows XP and Server 2000 and 2003. It gives a warning on more recent Windows versions, that they are not supported, and when tested, it really did not work. Moreover, Project Lasso supports TCP for log transport, it is even the default, but SSL is not supported. In contrast, it should be able to read from any available Windows event sources. It is available fromhttp://sourceforge.net/projects/lassolog/ under the GPL license.

While Project Lasso seems to be abandoned, there is now “Lasso Enterprise”, which is bundled with LogLogic appliances. There isn’t any information available on this, other than that it supports more recent Windows versions, so if you have any experiences with Lasso Enterprise, please let me know, what is improved compared to the GPL version!

 

NTsyslog

NTsyslog was developed for Windows NT 4.0 and Windows 2000 and also runs on XP. It is no more actively maintained: http://ntsyslog.sourceforge.net/ As I still know about running NT 4.0 servers, it could come handy for a few people. It turns System, Security and Application events into a single line and forwards them to a syslog server. I could not find any documentation, but I suppose, that only UDP is supported.

 

Winlogd

Winlogd was developed in 2004 and 2005. It needs .NET, so I suppose that Windows XP and Server 2003 are supported. It also creates a single line from System, Security and Application events. For configuration, one needs to edit the registry directly, which is a kind of unusual for me in the 21. century… My favorite quote on the website is, that it calls syslog-ng the “Ultimate syslog server package” 
It is available athttp://edoceo.com/creo/winlogd

 

Kiwi Log forwarder for Windows

Kiwi is a syslog server application for Windows, and it’s commercial version also has a bundled “Log forwarder for Windows” which can forward Windows events to a syslog server. The format used is very close to the one used by Snare. It can do some basic filtering and has access to more event sources than the basic System, Security and Application events. Multiple syslog servers can be defined, however, only UDP is supported for log transfer. More information is available athttp://www.solarwinds.com/products/freetools/kiwi_syslog_server/compare.aspx

 

Positive:

  • multiple syslog destinations

 

Negative:

  • no TCP (and SSL) support

 

BalaBit’s syslog-ng Agent for Windows

The syslog-ng Agent for Windows collects log messages from event log groups and log files and forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections, integrating Windows hosts into the general log management infrastructure. The syslog-ng Agent can be managed from a domain controller using group policies or run as a standalone application.

It is developed together with the UNIX/Linux version of syslog-ng and provides administrators with most of the flexibility and features already familiar on those platforms.

Advantages:

  • forwards both event logs and log files
  • supports TCP and encryption
  • authenticates with server using X.509 certificates, including mutual authentication
  • multiple destinations both in parallel and fail-over modes
  • format of event log messages can be customized using macros, just as in the UNIX version

 

For more information visit https://www.syslog-ng.com/products/log-management-software/windows-log-management.aspx

 

syslog-ng PE Case Study – DataPath Inc.

DataPath, founded in 1984, is a management-owned, privately held company based in Little Rock, Arkansas, that produces software solutions for administering employee benefit plans. They also implemented a SYSLOG-NG AGENT FOR WINDOWS-based logging infrastructure to meet HIPAA and PCI DSS requirements in their Microsoft-based environment.

Anonymous