Winlogd is an open source Windows sylog client which forwards Event Log messages to a syslog server.

Thousands of network devices (firewalls, routers, switches, storage, etc...) from major manufacturers (Cisco, 3Com, HP, etc...) can send messages to syslog. However, out of the box Windows doesn't understand how to talk to syslog. With winlogd now it can; winlogd will monitor the Windows Event Log and send messages to the specified syslog server when they arrive. This allows an administrator to integrate Windows into their current syslog scheme and effectively monitor the Windows machines via simple syslog scripts. Parameters - including server, port and facility - are configurable via the Windows Registry.

Specification

Winlogd monitors each Windows Event Log (Application,Security and System by default) and forwards new event entries to the configured syslog server. The \n,\r and \t characters in the event data are removed. Messages contain the Event Source, Event ID and description are formatted for easy parsing with your current syslog analysis scripts. The messages from Application, Security, System and other Event Logs are combined in winlog to the configured Facility.

Translation is made from Event Log message priorities to syslog priorities as specified in the table below.

Windows PrioritySyslog Priority
Errorerr
Warningwarning
Informationinfo
FailureAuditnoticeThis only shows in the Security Log
SuccessAuditnoticeThis only shows in the Security Log

Winlogd is written in Microsoft .NET Managed C++. and requires Microsoft.NET version 1.1 - 3.5sp1

Configuration

All winlogd configuration parameters are contained in in Windows Registry. You must be familiar with the Registry to understand these directions and change winlogd configuration.

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlogd\Parameters]
  "Facility"="local3"         /* Facility to send logs as */
  "Port"=dword:00000202       /* The UDP port to send to, 514 being the syslog default */
  "Server"="192.168.42.7"     /* Change to match your configuration */

After changing any of the parameters you must net stop winlogd then net start winlogd for the changes to take effect.

Reading Logs

The generated messages look like this (wrapped):

Jun 28 17:11:34 192.168.42.34 Service Control Manager[7035] \
Category:1; User:gwashington; The winlogd service was successfully sent a start control.

This is the Date, Host, Source, [Event ID], Category:[name/id]; User:[name]; Message.

This message is not fully compliant with the specified syslog format in RFC 3164. Notice the TAG field is improperly formed. The event source, 'Service Control Manager', should not contain spaces but does. Winlogd simply uses the Windows Event Source here, and the Event ID is specified in brackets, where the process ID normally goes.

There are many ways to implement syslog, described here is an implementation using syslog-ng and trapping errors. This snippet of a syslog-ng config file shows how to filter for winlogd messages and even alert on them.

source s_net { udp(ip(192.168.42.2) port(514)); };
filter f_winlogd { facility(local3); };
filter f_winlogd_error { facility(local3); level(err); };
destination d_winlogd { file("/var/log/winlogd"); };
destination d_winlogd_error { program("/opt/edoceo/bin/syslog-mail"); };
log { source(s_net); filter(f_winlogd); destination(d_winlogd); }
log { source(s_net); filter(f_winlogd_error); destination(d_winlogd_error); }

Download

Here you can download the winlogd source, binary and helpers. Download binary to %WINDIR%\system32 then say `winlogd -i` to install. The source is in a Microsoft Visual Studio.NET 2010 project. Winlogd requires Microsoft .NET Runtime 4.0 or newer.

Command Line Options

Related Sites and Information

Similar Software

History & Changelog

All company and product names mentioned in the article are held under copyright by their respective owners.