Cool Solution - Eventlog to Syslog
From Univention Wiki
If a central syslog logging server is used within a Univention Corporate Server (UCS) domain, one might want to connect Microsoft Windows servers and clients to it. Therefore, the Eventlog-to-Syslog service might be used.
This article describes the setup of the service.
The shown procedure works for all common Windows installations (XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2012)
Create a file called eventlog.conf withing the directory /etc/rsyslog.d/ and insert the following content
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
Explanation:At first, the imupd module will be loaded to provide the ability to receive syslog messages via UDP, next the port on which the UDP server is listening is defined. Save the config file and restart your rsyslog deamon.
service rsyslog restart
In the next step, a packet filter rule for the UDP server must be set. To do so, execute the following command:
ucr set security/packetfilter/package/rsyslog/udp/514/all=ACCEPT
Afterwards, restart the univention-firewall
service univention-firewall restart
The serverside installation is now complete.
The following steps must be executed on every client from which you want the eventlogs in your syslog file.
- Download the Eventlog-to-Syslog service from Website
Note: The next steps must be made on the commandline on your Windows Client with and Administrative user.
After you extracted the files from the archive. Change in the directory of the file evtsys.exe and executed the following:
evtsys.exe -i -h [syslog server]
Afterwards, activate the service with
net start evtsys
Now, you should see the first log entrys on your syslog server. Log entrys from your Windows clients always start with their hostname in front of the log messages.