cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Windows Events with Log Manager and Event Log Forwarder

Although we are working on native Windows Event support with Log Manager, many of you have been asking how to send Windows Events to Log Manger v1.0. The good news is that SolarWinds Event Log Forwarder can be used to send Windows Events to Log Manager. Event Log Forwarder is a free tool which converts Windows Events to syslog and transmits them to a syslog server or log management tool such as Log Manager. So, where do you start?

You can download the tool from here:FREE Event Log Forwarder for Windows | SolarWinds

Once you have the tool installed, the first step is to configure it to send log data to Log Manager. Go to 'Syslog Servers' and add your Log Manager/Orion server details (default port 514/UDP is fine). If you need to forward the logs to multiple servers, you can list additional servers in LogForwarderSettings.cfg​.

Screen Shot 2018-06-22 at 11.00.04 AM.png

Next step is to configure which logs you want to transmit to Log Manager. In addition to the Application, System and Security logs, Windows Event Viewer includes a vast array of other categories. The Log Forwarder also allows you to customize exactly which logs are sent to Log Manager to ensure that only certain events are forwarded and you are not bombarded with noise. You could configure Log Forwarder to only send error and warning logs from System and Application, while excluding certain event ID's such as Windows Filtering Platform events (which are notoriously noisy).

In this example, I have configured error and warning logs to be sent from a number of application logs, excluding two event ID's. You can use the 'Show preview of matching event records' option to get a sneak peek at logs that match your conditions.

Screen Shot 2018-06-22 at 11.13.23 AM.png

Now that logs are being sent to Log Manager, you need to ensure you have added the node to Orion. If not, you'll get a notification in Orion to let you know that log data from an unknown node is being received. When you browse to the Node Details page you'll notice the 'Analyze Logs' button, which will take you directly to the Log Viewer and display the Windows Events for that node. This additional layer of visibly and immediate access to log data can be especially useful when troubleshooting a server/application issue in SAM.

Screen Shot 2018-06-22 at 11.42.58 AM.png

Screen Shot 2018-06-22 at 11.45.57 AM.png

At this point you can now view, filter, search and chart your Windows Events in the same way as your syslog/traps. For more information on the powerful log management features which Log Manager provides, please see my post: Introducing Log Manager for Orion

If you have any questions please post in the comments section below.

Comments

Hi,

Have you been able to have the event forwarder working on Windows Server 2016 ?

I have install the tool and configure it however there are definitively no event forwarded.

cheers

Yes, we have tested on Windows Server 2016. Can you confirm that you have configured your Log Manager IP as a syslog server in the Event Forwarder? Are you able to see traffic on UDP port 512 via WireShark?

Hello,

Yes we have configured the tool with our NPM server IP address and unfortunatly we do not see the log.

I will install a wireshark on the 2016 server in order to check if the packet are sent.

Cheers

What will be the Default Syslog Facility ? is it Kernel (messages) ??

pastedImage_0.png

Version history
Revision #:
1 of 1
Last update:
‎06-22-2018 05:56 AM
Updated by: