Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using UF as windows syslog forwarder

PickleRick
SplunkTrust
SplunkTrust
‎07-15-2022 02:43 AM

It's a bit off-topic but I have a kinda unusual use case. I want to get the events out of windows box and store it on a linux machine (in this particular case it's windows VM and I want to export the events to the hypervisor).

Of course for linux it's easiest to receive syslog messages but as we all know, Windows doesn't have built-in syslog server and you can't easily get the events with built-in windows tools to push through syslog channel.

So far I've been using the free SolarWinds Event Log Forwarder but it has its flaws - most notably it has problems with starting automatically with the Windows machine. It ends up with the process started but it's not forwarding events unless I manually disable and re-enable the subscriptions. That's unacceptable.

So I was thinking that maybe I should just install UF and instead of using splunk-tcp output just push events with plain tcp output to a syslog server. Anyone has experience with it?

The upside to this is that I know that UF works relatively reliably and I wouldn't have to worry about it too much.

The downside is that I would have to define a separate input for each event log channel (but I think I'd simply script it and have it run every few days to synchronise eventlog channels with inputs.conf).

I could of course set up whole Splunk Free environment on my hypervisor but it would be a huuuuuge overkill.

Any hints for the UF installation/configuration?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JacekF
Path Finder
‎07-15-2022 05:07 AM

A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.

Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-15-2022 02:55 AM

Bah.

Forgot that syslog output is not available on UF.

But I might try with http output and imhttp rsyslog module.

I'll test it some time next week probably.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-19-2022 08:59 AM

It seems that rsyslog's imhttp module is not that easy to get - it's not distributed with binary packages and I definitely have no time to rebuild whole packages (and look for civetweb that the module relies on and compiling that).

So it seems the UF->rsyslog option is not really viable for me.

0 Karma
Reply
Solved! Jump to solution
Solution

JacekF
Path Finder
‎07-15-2022 05:07 AM

A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.

Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-15-2022 05:29 AM

Thanks for the hint. I will probably check it out. But since I had my idea, I think I will check the UF setup as well 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...