It's a bit off-topic but I have a kinda unusual use case. I want to get the events out of windows box and store it on a linux machine (in this particular case it's windows VM and I want to export the events to the hypervisor).
Of course for linux it's easiest to receive syslog messages but as we all know, Windows doesn't have built-in syslog server and you can't easily get the events with built-in windows tools to push through syslog channel.
So far I've been using the free SolarWinds Event Log Forwarder but it has its flaws - most notably it has problems with starting automatically with the Windows machine. It ends up with the process started but it's not forwarding events unless I manually disable and re-enable the subscriptions. That's unacceptable.
So I was thinking that maybe I should just install UF and instead of using splunk-tcp output just push events with plain tcp output to a syslog server. Anyone has experience with it?
The upside to this is that I know that UF works relatively reliably and I wouldn't have to worry about it too much.
The downside is that I would have to define a separate input for each event log channel (but I think I'd simply script it and have it run every few days to synchronise eventlog channels with inputs.conf).
I could of course set up whole Splunk Free environment on my hypervisor but it would be a huuuuuge overkill.
Any hints for the UF installation/configuration?
A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.
Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)
Bah.
Forgot that syslog output is not available on UF.
But I might try with http output and imhttp rsyslog module.
I'll test it some time next week probably.
It seems that rsyslog's imhttp module is not that easy to get - it's not distributed with binary packages and I definitely have no time to rebuild whole packages (and look for civetweb that the module relies on and compiling that).
So it seems the UF->rsyslog option is not really viable for me.
A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.
Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)
Thanks for the hint. I will probably check it out. But since I had my idea, I think I will check the UF setup as well 🙂