topic Re: Using UF as windows syslog forwarder in Splunk Enterprise

Using UF as windows syslog forwarder

PickleRick — Fri, 15 Jul 2022 09:43:15 GMT

It's a bit off-topic but I have a kinda unusual use case. I want to get the events out of windows box and store it on a linux machine (in this particular case it's windows VM and I want to export the events to the hypervisor).

Of course for linux it's easiest to receive syslog messages but as we all know, Windows doesn't have built-in syslog server and you can't easily get the events with built-in windows tools to push through syslog channel.

So far I've been using the free SolarWinds Event Log Forwarder but it has its flaws - most notably it has problems with starting automatically with the Windows machine. It ends up with the process started but it's not forwarding events unless I manually disable and re-enable the subscriptions. That's unacceptable.

So I was thinking that maybe I should just install UF and instead of using splunk-tcp output just push events with plain tcp output to a syslog server. Anyone has experience with it?

The upside to this is that I know that UF works relatively reliably and I wouldn't have to worry about it too much.

The downside is that I would have to define a separate input for each event log channel (but I think I'd simply script it and have it run every few days to synchronise eventlog channels with inputs.conf).

I could of course set up whole Splunk Free environment on my hypervisor but it would be a huuuuuge overkill.

Any hints for the UF installation/configuration?

Re: Using UF as windows syslog forwarder

PickleRick — Fri, 15 Jul 2022 09:55:08 GMT

Bah.

Forgot that syslog output is not available on UF.

But I might try with http output and imhttp rsyslog module.

I'll test it some time next week probably.

Re: Using UF as windows syslog forwarder

JacekF — Fri, 15 Jul 2022 12:07:09 GMT

A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.

Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)

Re: Using UF as windows syslog forwarder

PickleRick — Fri, 15 Jul 2022 12:29:50 GMT

Thanks for the hint. I will probably check it out. But since I had my idea, I think I will check the UF setup as well 🙂

Re: Using UF as windows syslog forwarder

PickleRick — Tue, 19 Jul 2022 15:59:28 GMT

It seems that rsyslog's imhttp module is not that easy to get - it's not distributed with binary packages and I definitely have no time to rebuild whole packages (and look for civetweb that the module relies on and compiling that).

So it seems the UF->rsyslog option is not really viable for me.