[syslog-ng] providing Windows Event Viewer logs into syslog

Tue Nov 30 19:34:41 CET 2010

I have used Snare and Eventlog-to-Syslog (evtsys).

Snare is a bit more user friendly because the agent is configured to
listen on a given port and serve a web console to set policies on what
logs should be forwarded.  By default, most (but not all) logs are
forwarded as there are some default filters.  It also technically
alters the security policy for logging when it is installed based on
the policy you've set using it.

evtsys is much lighter weight and has a cleaner command line install
process, so it's much easier to blast out to a server farm.  The
default settings work for me, which is forward everything all of the
time.

Both can be configured via the registry and run as a service, but you
have to do the legwork to use group policy to configure.  Both are
open source.  Snare is free but has support available, evtsys doesn't
really have support (though I've never needed it).

One other thing to consider:  If you also want to forward flat files
from Windows apps, (like IIS and DHCP), then you'll need a separate
agent to do that.  I've had success with Snare's cousin, Epilog, which
looks and feels like Snare.  You configure it through a similar web
console to point it at directories to monitor and then give it file
name patterns to stream as syslog.

One last note: if you want encrypted transport, evtsys won't do it,
and Snare will do it with the paid version only, so you'll be paying
money for sure.

So to recap, Balabit's offering improves on the free ones by
integrating flat file streaming with the event log and offering
encryption and GPO integration.

On Tue, Nov 30, 2010 at 6:51 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Tue, 2010-11-30 at 10:26 +0200, Oguz Yilmaz wrote:
>> Hi,
>>
>> I wanted to start a thread to see alternatives for providing Windows
>> logs into a linux based syslog server. I would be grateful to see my
>> alternatives, as free software as propriatery software.
>
> Disclaimer: I work for BalaBit, vendor for one of the propriatery
> options in the list below.
>
> I know about:
>
> snare
> evtsys
> ntsyslog
> syslog-ng Agent for Windows (propriatery)
>
> But there are probably others (which I've forgotten about, or don't know
> about).
>
> The last one is the BalaBit product and if you, the reader are not
> interested in propriatery software please skip this paragraph.
>
> ---- propriatery, don't read it unless you really want to ----
>
> The Agent is a Group Policy managed (e.g. integrates as a snapin to mmc,
> but can also be used with a config file) syslog Agent for Windows from
> 2000 to 2008R2, supporting both 32 and 64 bit environments. It collects
> logs from EventLog containers and/or simple text files. For files, you
> can also specify a directory and a mask and the Agent will follow all
> files matching the wildcard mask correctly.
>
> The agent uses TCP with optional SSL encryption (mutual authentication
> supported). It can behave like a snare agent and can also use the latest
> IETF standards (RFC5424 and friends). It has simple filtering
> capabilities and supports multiple servers.
>
> Please read the documentation for the Agent for more information:
>
> http://www.balabit.com/sites/default/files/documents/syslog-ng-windows-agent-v3.2-guide-admin-en.html/index.html
>
> Or the syslog-ng product description that includes a chapter on the
> Agent:
>
> http://www.balabit.com/support/documentation/syslog-ng-v3.0-description-en.pdf
>
>
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>