Cool Solution - Eventlog to Syslog

From Univention Wiki

Revision as of 09:33, 2 September 2014 by Frahm (talk | contribs)
Jump to: navigation, search
Note: This article is not yet reviewed.
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

If a central syslog logging server is used within a Univention Corporate Server (UCS) domain, one might want to connect Microsoft Windows servers and clients to it. Therefore, the Eventlog-to-Syslog service might be used.

This article describes the setup of the service.

The shown procedure works for all common Windows installations (XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2012)


Server side

Create a file called eventlog.conf withing the directory /etc/rsyslog.d/ and insert the following content

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Explanation:At first, the imupd module will be loaded to provide the ability to receive syslog messages via UDP, next the port on which the UDP server is listening is defined. Save the config file and restart your rsyslog deamon.

service rsyslog restart

In the next step, a packet filter rule for the UDP server must be set. To do so, execute the following command:

ucr set security/packetfilter/package/rsyslog/udp/514/all=ACCEPT

Afterwards, restart the univention-firewall

service univention-firewall restart

The serverside installation is now complete.

Client side

The following steps must be executed on every client from which you want the eventlogs in your syslog file.

  • Download the Eventlog-to-Syslog service from Website

Note: The next steps must be made on the commandline on your Windows Client with and Administrative user.

After you extracted the files from the archive. Change in the directory of the file evtsys.exe and executed the following:

evtsys.exe -i -h [syslog server]

Afterwards, activate the service with

net start evtsys

Now, you should see the first log entrys on your syslog server. Log entrys from your Windows clients always start with their hostname in front of the log messages.

Personal tools