Professional Documents
Culture Documents
Solarwinds Event Log Forwarder For Windows
Solarwinds Event Log Forwarder For Windows
for Windows
v1.2
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and
its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in
other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or
pending registration in the United States or in other countries. All other trademarks mentioned herein are used for
identification purposes only and may be or are trademarks or registered trademarks of their respective companies.
Microsoft®, Windows®, and SQL Server® are registered trademarks of Microsoft Corporation in the United States
and/or other countries.
Table of Contents
0
Part I Introduction 1
1 What is...................................................................................................................................
Event Log Forwarder for Windows? 1
2 Configuration
...................................................................................................................................
of Event Log Forwarder Settings 2
3 Deployment
...................................................................................................................................
of Program Installer 2
Event Log Forw..........................................................................................................................................................
arder Configuration File 2
Event Log Subscriptions
.......................................................................................................................................................... 4
Syslog Facilities
......................................................................................................................................................... 6
Syslog Servers.......................................................................................................................................................... 7
Part II Subscriptions 8
1 Overview
...................................................................................................................................
of Subscription Screen 8
2 Adding ...................................................................................................................................
Subscriptions 9
3 Renaming
...................................................................................................................................
Subscriptions 12
4 Editing...................................................................................................................................
Properties 12
5 Removing
...................................................................................................................................
Subscriptions 14
Part IV Test 20
1 Overview
...................................................................................................................................
of Test Screen 20
Part V Troubleshooting 22
1 Windows
...................................................................................................................................
Firewall 22
I
1
1 Introduction
This Help File discusses what SolarWinds Event Log Forwarder for Windows does and how it sends log
messages to Syslog Servers.
These pages contain necessary information that will help or assist you in understanding its processes.
However, if you do not find what you are looking for, you may check out SolarWinds Thwack forums
online.
See What is Event Log Forwarder for Windows for a general overview of the product.
See Configuration of Event Log Forwarder Settings for information on how and where your
settings are stored.
See Deployment Program Installer for instructions on how to run the MSI version of the installer.
Event Log Forwarder for Windows can also run on the following Windows operating system versions:
Windows Server 2003 R2 SP2 *
Windows Server 2008, 2008 SP2, 2008 R2 and 2008 R2 SP1 *
Windows Server 2012, 2012 R2
Windows 7, Windows 7 SP1, Windows 8, Windows 8.1 *
* x86 and x64 editions supported.
Event Log Forwarder for Windows comprises of two standard application executables (.exe).
Event Log Forwarder for Windows Service is named "SolarWinds Event Log Forwarder for Windows" and
is installed and started during the installation process. To check or to manage Event Log Forwarder for
Windows Service (start, stop, restart etc.) is via Windows Services manager or Windows command
prompt (Net Start "ServiceName").
The Event Log Forwarder for Windows User Interface (UI) allows you to configure the Service, can
(depending on which options were selected during installation) be opened using the SolarWinds Event
Log Forwarder for Windows desktop shortcut item, the Quicklaunch item, or from the SolarWinds Event
Log Forwarder for Windows Program group accessible from the Windows Start button.
Event Log Forwarder for Windows supports forwarding of both Windows Eventing 5 & 6 event
records.
Windows eventing 5 Event Log records - > Windows O/S versions prior to Windows Vista and
Windows Server 2008.
Windows eventing 6 ("Crimson") Windows Event Log records - > versions of Windows based on the
Windows NT 6.0 kernel (Windows Vista and Windows Server 2008, 2012)
When a change is saved within the UI, the configuration file is updated and the Service re-initializes to
pick up the changes immediately.
See Deployment of Program Installer for information on how to deploy the configuration to a target
machine.
The Standard application executable file (.exe) is installed simply by double-clicking on the file.
The Windows Installer Package file (MSI) is provided for 'silent' deployment using the /quiet
switch.
To run the MSI on the target machine, use the following command syntax:
SolarWinds_Event_LogForwarder_Version_Setup.msi /quiet
Note:
The MSI installer package for Event Log Forwarder for Windows does not include the prerequisites
installer, which automatically downloads and installs required prerequisite software, such as the .Net
Framework 4.0 from Microsoft. I n order to successfully deploy Event Log Forwarder for Windows, you
will need to first ensure that the required prerequisites are already installed.
To deploy the configuration file to a target machine, copy the LogForwarderSettings.cfg file to the Event Log
Forwarder for Windows installation directory after the MSI has been installed successfully. For example: (
<Program files>/SolarWinds/SolarWinds Event Log Forwarder for Windows/... ).
The configuration file contains a nested hierarchy of XML tags and subtags that specify the configuration
settings. It is located in the installation directory of Event Log Forwarder for Windows (usually C:\Program
Files\SolarWinds\SolarWinds Event Log Forwarder for Windows).
For Event Log Subscriptions, each Event Log Subscription is declared with an <EventLogSubscription>
tag. The following LogForwarder.cfg declares two Event Log Subscriptions.
<categories />
<keywords />
<users />
<computers />
<facility>10</facility>
<enabled>true</enabled>
<name>New System Event Log Subscription</name>
<description>Security Event Log - Error, Warning and Information
Event Types</description>
</EventLogSubscription>
</EventLogSubscriptions>
<SyslogServers>
...
</SyslogServers>
</LogForwarderSettings>
For Syslog Servers, each Syslog Server is declared with an <SyslogServer>tag. The following
LogForwarderSettings.cfg file declares two Syslog Servers.
<channels>
A list of valid event log channels (eg. Application, System, Security) that are subscribed to. Each
subtag of type <string>.
5
<types>
A list of valid event log types. Each subtag of type <int>. Valid values are 1 (Error), 2 (Warning), 4
(Information), 8 (Audit Success), 16 (Audit Failure).
<sources>
A list of valid event log sources. Each subtag of type <string>.
<eventIDs>
A list of event ID's or event ID ranges. Each subtag of type <string>.
<categories>
A list of valid event log task categories. Each subtag of type <string>.
<keywords>
A list of event keywords. Each subtag of type <string>.
<users>
A list of users. Each subtag of type <string>.
<computers>
A list of computers. Each subtag of type <string>.
<facility>
The default syslog facility number to use when generating a syslog message to send. See syslog
facilities.
<enabled>
true/false. If set to true the event log subscription is active. Events collected when the event log
subscription is enabled will be forwarded to the configured syslog servers.
<name>
The name of the Event Log Subscription.
<description>
The description of the Event Log Subscription.
<string>SolarWindsEventSysLogger</string>
<string>SolarWindsSyslogService</string>
<string>SolarWindsTrapService</string>
</sources>
<eventIDs>
<string>0</string>
<string>1003 - 1006</string>
</eventIDs>
<categories>
<string>(0)</string>
<string>(100)</string>
<string>(101)</string>
</categories>
<keywords />
<users>
<string>System</string>
<string>Administrator</string>
</users>
<computers>
<string>SERVER-A</string>
<string>SERVER-B</string>
</computers>
<facility>0</facility>
<enabled>true</enabled>
<name>New Application Event Log Subscription</name>
<description>Application</description>
</EventLogSubscription>
</EventLogSubscriptions>
<SyslogServers>
...
</SyslogServers>
</LogForwarderSettings>
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
7
<serverName>
The name of the Syslog Server.
<IPAddress>
A valid Syslog Server IP address (IPv4 or IPv6), hostname or FQDN.
<Port>
The Syslog Server port (default is 514).
<enabled>
True/false. If set to true, the Syslog Server is active. Events collected will only be forwarded to the syslog
servers which are enabled.
<SendMode>
Decides which protocol to use either TCP or UDP. 0- UDP, 1- TCP
<SourceFormat>
Decides the server address format either IPv4, or IPV6, etc.
</SyslogServer>
</SyslogServers>
</LogForwarderSettings>
2 Subscriptions
This chapter provides information and guidance relating to the Subscriptions screens in Event Log
Forwarder for Windows.
See Overview of Subscription Screen for a general overview of the Subscriptions screen.
See Adding Subscriptions for information on adding a new Subscription item to the list.
See Renaming Subscriptions for information on renaming an existing Subscription item.
See Editing Properties for information on editing the properties of an existing Subscription item.
See Removing Subscriptions for information on deleting an existing Subscription item from the list.
Below is a sample screenshot of the Subscriptions screen with three example subscriptions setup.
9
Application Event Log - Errors & Warning (All Tasks). This subscription has been disabled,
therefore the associated log records will not be forwarded.
Security Event Log - Audit Success & Audit Failure (All Tasks).
System Event Log - Windows Updates, Service Packs and HotFixes (All Tasks).
Note: Edit Properties, Rename, Enable/Disable, and Remove are only available when a subscription
item has been selected.
1. Select the event log (or event logs) you wish to subscribe to from the left column treeview control.
2. Configure the Event type, Event sources, Task category, and filtering options:
Field Value
Event type Filter event records by one or more of the Error, Warning,
Event sources Filter event records by one or more event sources. Event sources field is populated
Includes/ Filter event records by including and/or excluding event IDs. (for example: you can
Excludes apply a filter to only show records with event ID's 1, 3 or within the range of 5-99, but
Event IDs excluding events with ID's of 76 by typing: 1,3,5-99,-76
Task category Filter event records by one or more task categories. Task categories field is populated
Keywords Filter event records by keywords (not available for Windows eventing 5 versions of
11
Field Value
Windows)
3. If you click Hide preview of matching records, this it will hide you grid view of the event from the
selected subscriptions. Show preview of matching records displays grid view of the event from the
selected subscriptions.
4. Click Refresh to preview the event records currently found in your event log(s) which match your
subscription configuration settings.
6. Select the Default Syslog Facility that the event records will be forwarded to the syslog server(s).
The Default Syslog Facility is combined with the record Event type to form the message Priority column
data within the Syslog Server display window.
7. Click Finish to save your subscription configuration settings and return to the Subscriptions listing
screen.
After which, you can now edit the subscription item to make changes.
Upon clicking Edit Properties, a new window will appear with the existing fields values displayed.
13
1. Make your changes to the existing field values accordingly, then click Refresh to preview the effects
of your filtering changes on the event log records.
3. Click Finish to save your subscription configuration settings and return to the Subscriptions listing
screen.
After clicking Remove, a confirmation message box appears to continue the selected action.
15
3 Syslog Servers
This chapter provides information and guidance relating to the Syslog Servers screen in Event Log
Forwarder for Windows.
See Overview of Syslog Server Screen for a general overview of the Syslog Servers screen
functionality.
See Adding Syslog Server for information on how to add a new Syslog Server item to the list.
See Renaming Syslog Server for information on how to rename an existing Syslog Server item.
See Editing Properties for information on how to edit the properties of an existing Syslog Server item.
See Removing Syslog Server for information on how to remove an existing Syslog Server item from
the list.
The Kiwi Syslog Server has been added using its Hostname and UDP port 514.
The Orion Syslog Server is using the LocalHost IP Address and UDP port 514. This syslog
server item has been disabled, therefore it will not receive forwarded records.
Note: The Edit, Enable/Disable, and Remove are only available when a syslog server item has been
selected.
Upon clicking Add, the Syslog Server - Properties window will appear with pre-populated field default
values.
Overtype the default field values accordingly, then click Create to add a syslog server.
Field Value
Server Name Display name for the syslog server
Server Address IPv4 or IPv6 Address, Hostname, or a fully qualified
domain name of the syslog server
Port Destination port to send event logs via UDP/TCP
Protocol Choose either UDP or TCP
The syslog server item name will then be made editable for you to make changes.
Upon clicking Edit, the Syslog Server - Properties window will appear with the existing fields values
displayed.
19
Make your changes to the existing field accordingly, then click Update to save.
Field Value
Server Name Display name for the syslog server
Server Address IPv4 or IPv6 Address, Hostname, or a fully
qualified domain name of the syslog server
Port Destination port to send event logs via UDP/
TCP
Protocol Choose either UDP or TCP
Upon clicking Remove, a confirmation message box will appears to continue the selected action.
4 Test
This chapter provides information and guidance relating to the Test screen in Event Log Forwarder for
Windows.
See Overview of Test Screen for a general overview of the Test screen functionality.
Choose which Event Logs you want to test by selecting the drop-down field.
From Type of test event group, choose the event message type you wish to add to the Event Log.
Click Create a test event to add the test event to the Event Log.
Note: To know If the test event was created successfully, a confirmation message states
"test event created successfully". However, if there's any error, you get a notification
stating "creation of test event was unsuccessful".
5 Troubleshooting
This chapter contains information on troubleshooting issues with the Event Log Forwarder for Windows.
See Windows Firewall for information regarding the Windows Firewall exception.
To prevent blocking of the Event Log Forwarder for Windows, its product installer will automatically add
23
an exception for the program to prevent the Windows Firewall from blocking it functions.
Note:
If log messages appear not to be forwarding to your designated Syslog Server, please check the
Windows Firewall to ensure that the program exception exists.
The Windows Firewall exception is removed automatically when the product is uninstalled using the
Event Log Forwarder for Windows uninstaller.