I have used Snare and Eventlog-to-Syslog (evtsys). Snare is a bit more user friendly because the agent is configured to listen on a given port and serve a web console to set policies on what logs should be forwarded. By default, most (but not all) logs are forwarded as there are some default filters. It also technically alters the security policy for logging when it is installed based on the policy you've set using it. evtsys is much lighter weight and has a cleaner command line install process, so it's much easier to blast out to a server farm. The default settings work for me, which is forward everything all of the time. Both can be configured via the registry and run as a service, but you have to do the legwork to use group policy to configure. Both are open source. Snare is free but has support available, evtsys doesn't really have support (though I've never needed it). One other thing to consider: If you also want to forward flat files from Windows apps, (like IIS and DHCP), then you'll need a separate agent to do that. I've had success with Snare's cousin, Epilog, which looks and feels like Snare. You configure it through a similar web console to point it at directories to monitor and then give it file name patterns to stream as syslog. One last note: if you want encrypted transport, evtsys won't do it, and Snare will do it with the paid version only, so you'll be paying money for sure. So to recap, Balabit's offering improves on the free ones by integrating flat file streaming with the event log and offering encryption and GPO integration. On Tue, Nov 30, 2010 at 6:51 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:

On Tue, 2010-11-30 at 10:26 +0200, Oguz Yilmaz wrote:

...

Hi,

I wanted to start a thread to see alternatives for providing Windows logs into a linux based syslog server. I would be grateful to see my alternatives, as free software as propriatery software.

Disclaimer: I work for BalaBit, vendor for one of the propriatery options in the list below.

I know about:

snare evtsys ntsyslog syslog-ng Agent for Windows (propriatery)

But there are probably others (which I've forgotten about, or don't know about).

The last one is the BalaBit product and if you, the reader are not interested in propriatery software please skip this paragraph.

---- propriatery, don't read it unless you really want to ----

The Agent is a Group Policy managed (e.g. integrates as a snapin to mmc, but can also be used with a config file) syslog Agent for Windows from 2000 to 2008R2, supporting both 32 and 64 bit environments. It collects logs from EventLog containers and/or simple text files. For files, you can also specify a directory and a mask and the Agent will follow all files matching the wildcard mask correctly.

The agent uses TCP with optional SSL encryption (mutual authentication supported). It can behave like a snare agent and can also use the latest IETF standards (RFC5424 and friends). It has simple filtering capabilities and supports multiple servers.

Please read the documentation for the Agent for more information:

http://www.balabit.com/sites/default/files/documents/syslog-ng-windows-agent...

Or the syslog-ng product description that includes a chapter on the Agent:

http://www.balabit.com/support/documentation/syslog-ng-v3.0-description-en.p...

-- Bazsi

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html