winlogd - Windows EventLog to Syslog Service

Winlogd is an open source Windows sylog client which forwards Event Log messages to a syslog server.

Thousands of network devices (firewalls, routers, switches, storage, etc...) from major manufacturers (Cisco, 3Com, HP, etc...) can send messages to syslog. However, out of the box Windows doesn't understand how to talk to syslog. With winlogd now it can; winlogd will monitor the Windows Event Log and send messages to the specified syslog server when they arrive. This allows an administrator to integrate Windows into their current syslog scheme and effectively monitor the Windows machines via simple syslog scripts. Parameters - including server, port and facility - are configurable via the Windows Registry.

Specification

Winlogd monitors each Windows Event Log (Application,Security and System by default) and forwards new event entries to the configured syslog server. The \n,\r and \t characters in the event data are removed. Messages contain the Event Source, Event ID and description are formatted for easy parsing with your current syslog analysis scripts. The messages from Application, Security, System and other Event Logs are combined in winlog to the configured Facility.

Translation is made from Event Log message priorities to syslog priorities as specified in the table below.

Windows Priority	Syslog Priority
Error	err
Warning	warning
Information	info
FailureAudit	notice	This only shows in the Security Log
SuccessAudit	notice	This only shows in the Security Log

Winlogd is written in Microsoft .NET Managed C++. and requires Microsoft.NET version 1.1 - 3.5sp1

Configuration

All winlogd configuration parameters are contained in in Windows Registry. You must be familiar with the Registry to understand these directions and change winlogd configuration.

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlogd\Parameters]
  "Facility"="local3"         /* Facility to send logs as */
  "Port"=dword:00000202       /* The UDP port to send to, 514 being the syslog default */
  "Server"="192.168.42.7"     /* Change to match your configuration */

After changing any of the parameters you must net stop winlogd then net start winlogd for the changes to take effect.

Reading Logs

The generated messages look like this (wrapped):

Jun 28 17:11:34 192.168.42.34 Service Control Manager[7035] \
Category:1; User:gwashington; The winlogd service was successfully sent a start control.

This is the Date, Host, Source, [Event ID], Category:[name/id]; User:[name]; Message.

This message is not fully compliant with the specified syslog format in RFC 3164. Notice the TAG field is improperly formed. The event source, 'Service Control Manager', should not contain spaces but does. Winlogd simply uses the Windows Event Source here, and the Event ID is specified in brackets, where the process ID normally goes.

There are many ways to implement syslog, described here is an implementation using syslog-ng and trapping errors. This snippet of a syslog-ng config file shows how to filter for winlogd messages and even alert on them.

source s_net { udp(ip(192.168.42.2) port(514)); };
filter f_winlogd { facility(local3); };
filter f_winlogd_error { facility(local3); level(err); };
destination d_winlogd { file("/var/log/winlogd"); };
destination d_winlogd_error { program("/opt/edoceo/bin/syslog-mail"); };
log { source(s_net); filter(f_winlogd); destination(d_winlogd); }
log { source(s_net); filter(f_winlogd_error); destination(d_winlogd_error); }

Download

Here you can download the winlogd source, binary and helpers. Download binary to %WINDIR%\system32 then say `winlogd -i` to install. The source is in a Microsoft Visual Studio.NET 2010 project. Winlogd requires Microsoft .NET Runtime 4.0 or newer.

winlogd.zip - Latest Version
winlogd.exe - Latest Version
syslog-mail - A helper script used above configuration
github

Command Line Options

--help - Prints a little help message, and the license
--show - Dumps the current registry settings
--test - Sends four test messages to the log
-i - Install winlogd into the Service Control Manager, the must be done first to use winlogd
-u - Removes winlogd from the Service Control Manager

Related Sites and Information

syslog-ng - Ultimate syslog server package
Syslog.org :: Security & Sysadmin Information
RFC 3164 - The BSD Syslog Protocol
Security Issues in Network Event Logging (syslog)

Similar Software

History & Changelog

07 Aug 2012 - winlogd version 2012.32 release - .NET 4.0 required
28 Jun 2005 - winlogd version 1.3 released.
- Includes the Event ID in place of Process ID
- Added sample syslog configuration documentation
09 Oct 2004 - winlogd version 1.2 released.
- Added code to sort the services when --list is used.
- Updated the url in the --help output.
08 Oct 2004 - winlogd version 1.1 released.
- Added code to properly use the facility specified in the registry.
- Added code to remove \r and \t from the Event Log message.
- Removed the code that duplicated packets to the log file winlogd.log.
12 Sep 2004 - winlogd version 1.0 released.
- Initial public release, no history before this

All company and product names mentioned in the article are held under copyright by their respective owners.