syslog-ng-users February 2011 archive
Main Archive Page > Month Archives  > syslog-ng-users archives
syslog-ng-users: Re: [syslog-ng] Syslog-ng Windows Agent & W

Re: [syslog-ng] Syslog-ng Windows Agent & WIN2008 Event Forwarding Subscription

From: Szilárd Szabó <xilu87_at_nospam>
Date: Tue Feb 08 2011 - 11:52:23 GMT
To: "Syslog-ng users' and developers' mailing list" <>

dear members

I installed Epilog and add the log [ForwardedEvents.evtx] file, but
dose't work, because, it's like a binary file.
Any idea to forward ForwardedEvents subscriptions?

I try Syslog-ng Windows Agent, Splunk, Snare, Snare Epilog, EvtSys.


I try Solarwings Log Forwarder For Windows. This is the one, which works.
But I have a problem whit it too. All Forwarded Events appears in on
one host/ip in syslog-ng.

Any IDEA? or other Applications? Which works!
Or any solutions which works whit Windows Server 2008 Event Subscription?
(but I do not want to migrate again)

UI: syslog-ng support team can't reproduced these mistake, what i have.

Regards Szilard Szabo

2011/1/23 Zoltán Pallagi <>:
> 2011.01.23. 17:38 keltezéssel, Martin Holste írta:
>> Bah, too bad!  Thanks a lot, Microsoft.  Nice that they finally put
>> together some sort of log forwarding in the least inter-operable way
>> possible.
>> Your next option might be to install Epilog (similar to Snare) and
>> forward the flat files the log subscription is writing out.
> Well, as far as I know,  the free snare clients can send logs only via
> UDP that is not lossless . So if you want to forward your logs via TCP
> or TLS to a syslog-ng server, I think the best solution is to use
> syslog-ng agent, because BalaBit develop both products, and we take care
> of the best interoperability of syslog-ng agent and syslog-ng.
> Of course, if you would like to use free softwares, you can use other
> programs on your windows (only syslog-ng PE includes agent, so it's not
> free), but from the point of my view, when you want to collect logs from
> thousands of windows servers, the cost is not the basic aspect.
>> 2011/1/23 Szilárd Szabó<>:
>>> I try it.
>>> Negative :(
>>> 2011/1/22 Martin Holste<>:
>>>>>      I am not sure that these programs can forward events coming from
>>>>>      other windows forwarded by WinRM. (so these events are in
>>>>>      ForwardedEvents store on the server, and syslog-ng agent forward
>>>>>      these forwarded events to a syslog-ng).
>>>>>      Can you confirm that these programs can do it?
>>>> I have not tried EvtSys with subscriptions, but I know that by default
>>>> it will forward all sources (Security, Application, etc.) including
>>>> any custom or otherwise non-standard sources.  If ForwardedEvents is
>>>> considered a source, it will be forwarded along with everything else.
>>>> I should also point out that you can configure EvtSys to filter out
>>>> messages in a granular way with some registry keys if you don't want
>>>> everything.
>>>> ______________________________________________________________________________
>>>> Member info:
>>>> Documentation:
>>>> FAQ:
>>> --
>>> Üdvözlettel / Regards Szabó Szilárd
>>> ====================
>>> This message and any attachment(s) are intended only for the use of
>>> the named recipient and may contain information that is privileged,
>>> confidential or otherwise exempt from disclosure under applicable law.
>>> If you are not the intended recipient, please notify the sender by
>>> return e-mail and delete this message from your system. Do not
>>> disclose the contents of this document to any other persons. Violation
>>> of this notice may be unlawful. Please note that internet
>>> communications are not secure and e-mails are susceptible to change.
>>> Thank you for your cooperation
>>> ______________________________________________________________________________
>>> Member info:
>>> Documentation:
>>> FAQ:
>> ______________________________________________________________________________
>> Member info:
>> Documentation:
>> FAQ:
> --
> pzolee
> ______________________________________________________________________________
> Member info:
> Documentation:
> FAQ:
Member info: