Best Windows 2008 Server Syslog Method


    I want to send Windows 2008 Syslog to a centralizes syslog server.  What is the best way to do this.  For 2012 WMI works best.  Snare is no longer supported and has a vulnerability in it.  Thoughts?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
How many nodes/devices do you need to monitor?

- You could use PRTG for free up to 100 monitored nodes.
--- Link:
- If you have some money to spend, Kiwi Syslog Server.
--- Link:

- If you need a very flexible syslog client, check out NXlog Community Edition.
--- Link:

There are probably plenty of other, but these are the ones I have tried & used.

btanExec ConsultantCommented:
Thought snare still support Win2K8 e.g. use of "Snare Enterprise Agent" -

For windows event to ext syslog server, an agent in the server (besides Win2012 as mentioned which already has that "agent" natively) is unavoidable and there is a "common" ones such as (on top of Snare) are Datagram SyslogAgent and Balabit Software syslog-ng. Snare and syslog-ng has been the preferred one esp if the forwarder log need to be customized to retain like ensure TCP (instead of UDP) protocol,  device source ip (win server) and truncation of msg etc. in fact NXLOG is not bad for Windows to Syslog - the community version has interesting take why it fares better as common to those "common" leaders @ - The values I see important operationally is
Log messages need not to be flattened out and squeezed into the syslog format or similar single line messages if this is not required. A special nxlog message format can preserve the parsed fields of log messages and transfer these across the network or store in files. This alleviates the need to parse the messages again at the receiver side and avoids loosing any information which was available at the source.
The key is to if possible get quality log and if possible sanitise minimal so that upstream processing can be more worthwhile and at the same time not demand the device source at site too demanding process (like running extra script on top of agent, etc). Stakeholder is deters by introduction of more s/w and performance lapse on server to do extra work and processing
There is no "best", unless perhaps you can clearly define what "best" means to you. And then it's possible that you'll only get your "best" if you write it yourself or have it written to your requirements.

What do you need to find? Regulatory requirements? Cheap? Efficient? Accurate? Reliable? Simple? Is UDP an issue? Or do you require TCP? Various elements need to be outlined and weighted. Some are needs, some wants, some just nice, others who cares?

Otherwise you'll only get what has worked fine for others; and everyone has a "best" in their environments, but based on how well it meets their (perceived) needs. You'll get list which is what you'll get simply by running internet searches anyway. There's no guarantee anyone will mention any of the ones that will actually be "best" in your environment.

btanExec ConsultantCommented:
I opt for cost effective and operational friendly soln and there is not non-vulnerable s/w pieces esp when we talking even about OS itself is patchy. The key is to go timely in patch and not breaking the apps in doing so hence the soln has to cater easier and non-impactful patch rollout - meaning ideally need not reboot whole system but only the agent service etc.

I encounter "hanging" syslog receiver agent which seems active but actually in a stalemate state due to overloaded log size to process from it causing the remote sender pair to stall while agent to recover. Ths issue is the remote end cannot store too long and till the hanging state of its receiver is detected timely to have someone resolved it, log will be overridden and lost...the soln needs to be able to queue (and hold) and be alert friendly to have snmp trap error event to like monitoring service for OPS response.

The solution mentioned prev can still applies and script via WMI is quick kill but not robust in operational long my own opinion. Likewise in different OS, there are various event id and it is hard to keep chasing for selectively piping log to remote. the upgrade of such must cater to ease of quick configuration in that aspects as well, and best is to have it seamlessly updated as OS upgrade...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awakeningsAuthor Commented:

    Sorry about the delay.  Life has been crazy.  We went with Solar winds.  I left it to my tech and I'm ok with that.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.