Windows Events to Syslog – Ready-to-Go Application

Consolidate all your Windows Event Logs and Syslog messages to ORION, or forward them to an existing syslog server.

Download example - Already included in recent ORION packages

DESCRIPTION

This application centralizes Windows Event Logs without requiring a local agent on each system. It also receives syslog messages and combines them with Windows events for real-time viewing in the ORION Event Viewer or forwarding to another syslog server.

Windows events are read in real-time, which let’s you diagnose problems leading up to a Windows server crash, even if the server is no longer able to boot.

This application is a “Ready-To-Go” application, which only requires setting the login information of the remote Windows servers, and designating a syslog server to forward events to.

The application is provided as a fully customizable ORION source code application. It runs only on Windows.

HOW TO RUN THE APPLICATION

Configuring Remote Windows Event Logs

Assuming you have installed and loaded the application correctly, you would be able to see the following screen if you click on Sources:

Click on the blue WindowsHostsEventsList parameter in the Remote Windows Log Reader source. Click “Add Windows Host”. Configure the login and event logs settings for each server, as shown here:

For simplicity of setup we recommend that you use an Administrator account to read the windows event logs remotely.

Click on the “Save ECA” button. Save ECA

Click on “Destinations” and enter the IP address or host name for the syslog server that you want to forward the events to (Make sure to specify a host other than the one that this ORION application is installed on!). You can leave the port blank, as it will default to the standard UDP port 514.

Click on the “Save ECA” button, again. Save ECA

Restart the server by clicking on the host name in the component tree, and selecting restart.

If the Windows login information was configured correctly, the bottom of your screen should look like this:

If you see errors, click on the errors link and see which host caused problems with connecting to the remote Windows event logs. Correct the login information for that host, save the application, and restart again.

If everything works correctly, you can click on the “Event Viewer” button and see the following screen, which should contain any new Windows Event Log entries that have been written since the ORION server was restarted.

As you can see the Windows events have been carefully formatted to fit the syslog format. If you specified a syslog server, go ahead and check that these same events were written to it.

Combining Windows and Syslog Events in ORION

This application has a syslog server preconfigured under “Sources”. If you direct outside syslog messages to your ORION host, those syslog messages will be combined with the Windows events. You can view the combined event stream in the ORION Event Viewer. The syslog messages will also be forwarded to the same syslog destination that the Windows events will be sent to.

Advanced Configuration

  • You can set custom syslog severities and facilities for each windows event type. Click on the “Set-Syslog-Severity” and “Set-Syslog-Facility” stacks respectively, and configure the Conditions of the predefined filters for each severity and facility.
  • The syslog messages are sent in accordance with RFC 3164. However, the message size limit of 1024 bytes is not enforced by default as many syslog servers can handle larger non-standard messages. This application has a facility for breaking larger messages into multiple smaller 1024 bytes messages. If you would like to enforce the message size limit, click on the “Break-Syslog-Into-Multiple-1024-Sized-Parts” filter stack, and enable the filter called “Break-Syslog-Into-Multiple-1024-Sized-Parts” by right clicking on the filter in the component tree and selecting “Enable”. Save the ECA and restart the server.

INSTALLATION

This application is pre-installed in your most recent ORION download. In the ECA Editor you must delete any other applications by right-clicking on the application name and selecting delete. Insert this application by clicking on the “ecs0” and selecting WinEventsToSyslogV1.0.xml from the list and hitting ok. You may also follow the standard installation procedure for examples.

If this is your first time using an ORION application, we suggested that you familiarize yourself with the basic screens and server operation described in the Hello World tutorial.

KEY SKILLS DEMONSTRATED

  • Remotely reading Windows Event Logs
  • Reformatting complex messages
  • Customizing syslog severity and facility fields
  • Removing tabs and new line characters from messages
  • Breaking large messages into a stream of smaller messages using a Jython script
  • Sending syslog Events

FILES

  • EV_HOME/config/WinEventsToSyslogV1.0.xml – Reads Windows and syslog events, formats them, and writes to syslog server and ORION archive

INPUT PROTOCOLS

OUTPUT PROTOCOLS

SUMMARY

COMPLEXITY: Moderate

ORION VERSION: 6.0

KEY WORDS: MESSAGE FORMATING, PROTOCOL CONVERSION, EVENT STREAM CONSOLIDATION, READY-TO-GO, WINDOWS EVENT LOGS, SYSLOG, Remote Windows Log Reader, Syslog Receiver, Syslog Sender, Archive Writer

 
eca_example/win_to_syslog.txt · Last modified: 2007/04/05 21:53 by teofana
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki