This article explains how to send logs from Windows systems to Syslog servers using NXLog (community edition). In this case we’re sending to Syslog listening on TCP. NXLog is easy enough to install but the configuration process is not so easy. Because Windows EventLog uses many more fields than Syslog, we’re structuring the log data as a JSON object. The receiving end must be able to parse JSON.
LogLevel INFO LogFile C:\Program Files\nxlog\data\nxlog.log Moduledir C:\Program Files\nxlog\modules CacheDir C:\Program Files\nxlog\data <Extension _syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> # We want this. <Select Path="System">*</Select> # We want this. <Select Path="Security">*</Select> # We want this. </Query> </QueryList> </QueryXML> Exec $raw_event = replace($raw_event, "\r\n", " "); </Input> <Output out> Module om_tcp Host 10.1.2.3 # The syslog server. Port 514 # The syslog listening port. Exec parse_syslog(); to_json(); # Needed to send as a JSON object. </Output> <Route 1> Path eventlog => out # Linking it all together. </Route>