Event Log Forwarder for Windows

Log Forwarder for Windows

The purpose of this free program from SolarWinds is to send events, which have been captured by a Windows server, to a Syslog server for processing.
The problem this nifty utility solves is that Windows servers don't natively support syslog protocols.  Thus the dashboard supplied gives you a method for consolidating event log messages, and works well with SolarWinds Kiwi and Orion products.

Installing SolarWinds Event Log Forwarder for Windows

I test numerous software packages, and I often criticise programs for their complex install routines, but in the case of the Log Forwarder for Windows, Guy says:- "This setup couldn't be easier."
Simply download and then install the program from its .msi file.  As a result you will get an interface (LogForwarderClient.exe) where you configure log Subscriptions and connect to your Syslog server.  Meanwhile, the underlying SolarWinds program (LogForwarder.exe) has installed as a Windows Service called: Log Forwarder for Windows.

Creating Subscriptions at Your Log Forwarder Dashboard

As you may expect, Event Log Forwarder for Windows supports the latest Windows eventing 6 ("Crimson") format, in addition, there is backward compatibility with the old Windows Eventing 5 from the Window Server 2003 and XP era.
XML experts may be interested in studying LogForwarderSettings.cfg file; they may wish to amend tags in the < EventLogSubscriptions> and <SyslogServers> sections.

Adding Individual Log Subscriptions

At the heart of the Event Log Forwarder is the interface which links to the actual Windows Logs.  Click on 'Event Sources' [key point] and select which subscriptions you wish to collect in the logs that will be sent to the Syslog server. 

After a few trials, you will appreciate the flexibility of this utility; at which point you may like to go back and adjust your subscriptions.  Alternatively, after a bout of testing I often delete and start again.

Connecting a Syslog Server to Your Dashboard

Please remember that in order to get any action with the SolarWinds Event Log Forward for Windows, you need a Syslog server.  It's vital to have a server which can receive logs such as security, application or system, which are forwarded by your Windows machine(s).
The source of these event logs can be Windows Server 2003 R2 or later; alternatively, you could trial the forwarder from a client such as Windows 7 or 8.
Note that SolarWinds' latest version supports sending event messages using TCP, (rather than UDP).

Test Screen

The 'Test' tab actually allows you to create an entry in one of the Event Logs on your Windows computer.  The screen enables you to test that forwarding to the Syslog server specified is indeed taking place.  Naturally, you can only perform a test on event that you have already added in your 'Subscriptions'.  Here is a screenshot of the Test Screen tab.

The result you are looking for is: "test event created successfully". However, if there's any error, then you get a message saying: "creation of test event was unsuccessful".

IF The above mention method is now working then Try this one 

1st download the Syslogagent by clicking blew mention link 


If you extract the 2MB Syslog file that you downloaded, there are a few files but the only three important files are the PDF user’s manual, the SyslogAgent configuration tool, and the SyslogAgent that you need to install on the server.

Figure 1: SyslogAgent Installation Files
In the sense of a traditional Windows application install, there is not one for the SyslogAgent service. You just run the SyslogAgentConfig tool and click Install under the Service Status section at the top.

Figure 2: Installing the SyslogAgent Service
This will create the Windows service for the SyslogAgent.
Before you get too excited and start the service, let’s first configure it.
The minimum configuration would be:
  • That the service is install
  • A syslog server IP and port are configured
  • That either event or application logs are selected to be sent to the syslog host (for whatever type of events and/or applications you choose)
  • And that the syslog agent service is started.
To select where the log data from your Windows host will be sent, enter the IP address of the syslog host, as you see in the graphic, Figure 2, above. In my case, the Log Insight syslog server’s IP address was and we were using UDP port 514.
With this enabled, I checked the Event Logs option and selected what type of event logs I wanted. For system monitoring, I would recommend sending “system logs” but you are welcome to send any type of logs you want such as security logs for
auditing purposes.

Figure 3: Selecting the Event Logs to Send to the Syslog Host
Optionally, you can configure the application log events to forward and even customize their facility and severity, as you see in Figure 4.

Figure 4: Customizing Facility and Severity
Optionally, you can choose to send events from specific Windows applications to the syslog host, even specifying the executable for the custom application (as you see at the bottom of Figure 2).
Once you’ve got it configured, click Start Service.
You are welcome to double check your Windows services to see that the SyslogAgent is added and running as you see below in Figure 5.

Figure 5: SyslogAgent Running in Services
With the syslog agent running, let’s go check our syslog server to see if it is receiving messages from our Windows 2012 Server.

Testing Syslog with VMware vCenter Log Insight

Let’s assume that your syslog server was installed and is running fine, at the IP address you specified on the agent. In my case, I am using the new VMware vCenter Log Insight as my syslog host but there are numerous options.
Over on the vCenter Log Insight console, indeed, I was quickly able to identify syslog traffic coming from my Windows 2012 Server (with a DNS name of HV1).

Post a Comment

NETWORKSTIP Networking CCNA,Centos,Ubuntu,Sql, © 2013. All Rights Reserved. Shared by NetworksTip Muhammad Nafees