Updated: 2024-03-25
Why Forward Windows Events to Syslog
Windows servers generate a wealth of diagnostic and security data — service starts, logon attempts, system errors, and application warnings. However, these events stay siloed inside the Windows Event Log unless you export them.
By forwarding Windows Events to a SolarWinds Syslog collector, you can centralize visibility across both Windows and network infrastructure, correlate events with firewall logs, and trigger SolarWinds alerts in real time. This approach helps unify monitoring and simplifies compliance reporting.
Step 1 — Identify Your SolarWinds Syslog Receiver
The SolarWinds Syslog Service (or Log Analyzer / Log Viewer) typically listens on UDP port 514 for incoming messages.
-
Confirm the SolarWinds server’s IP address.
-
Make sure any firewalls between your Windows host and SolarWinds allow outbound UDP 514 traffic.
-
You can test connectivity later using
Test-NetConnection -ComputerName <SolarWindsIP> -Port 514.
Step 2 — Choose a Forwarding Method
Windows doesn’t natively send events via Syslog, so you’ll need one of the following methods:
-
SolarWinds Event Log Forwarder for Windows (ELF) — a free, lightweight utility from SolarWinds.
-
NXLog or Snare Agent — third-party syslog agents with advanced filtering.
-
Windows Event Collector + PowerShell — for custom or scripted scenarios in labs.
For most environments, the SolarWinds Event Log Forwarder is the simplest and most reliable choice.
Step 3 — Install SolarWinds Event Log Forwarder
-
Download and install SolarWinds Event Log Forwarder for Windows on the system you want to monitor.
-
Launch the configuration utility.
-
Click Add Syslog Server, and enter:
-
Server: your SolarWinds Syslog collector IP (e.g.,
192.168.1.50) -
Port: 514
-
Protocol: UDP (or TCP if configured on the collector)
-
-
Click OK and ensure the connection shows as active.
Step 4 — Select Which Events to Forward
In the Event Log Forwarder console:
-
Click Add Rule.
-
Choose which Event Logs to monitor — typically:
-
Application
-
System
-
Security (for logon attempts, failures, etc.)
-
-
Apply filters as needed — for example, only forward Warning and Error events, or filter by Event ID (e.g., 4625 for failed logon).
-
Set the Syslog Facility (default = local0) and Severity Mapping if desired.
-
Save your rule.
Step 5 — Verify Transmission
Back on your SolarWinds server:
-
Open Syslog Viewer or Log Analyzer → Live Mode.
-
Generate a test event — for example, stop and start a Windows service.
-
You should see the syslog message appear with the correct hostname, facility, and severity.
If no messages appear:
-
Recheck your firewall and agent configuration.
-
Confirm the service SolarWinds Syslog Service is running.
Step 6 — Tune and Alert
Once logs are arriving, create custom rules and alerts within SolarWinds:
-
Match specific Event IDs or text patterns (like “Audit Failure” or “Service Terminated”).
-
Trigger an email or ticket when a high-priority event occurs.
-
Use rule actions to forward critical events to another SIEM or archive destination.
Step 7 — Test in a Lab
If you’re experimenting in EVE-NG or a similar lab platform, Windows Event Forwarder makes a perfect alert-testing source. You can safely simulate failed logins, service restarts, or system reboots to watch how SolarWinds ingests, filters, and alerts on those messages — invaluable for tuning noise levels before deploying to production.
Summary
Forwarding Windows Event Logs to SolarWinds via Syslog bridges the gap between system and network visibility. With just a small agent and a few rules, you can bring Windows events into the same dashboard as your routers, firewalls, and servers — making correlation and troubleshooting dramatically faster.
Whether for enterprise monitoring or lab-level experimentation, this setup is a simple but powerful way to unify your observability under SolarWinds.