Event Log Forwarding Guide

by Lavanya Rath - Last Updated: March 10, 2022

Event Log Forwarding Guide

Troubleshooting is one of the most difficult aspects of an application or system. Many times, it is a wild goose chase until you know where the problem is and its cause. This is where log files come in handy as they point you in the right direction, so you are more productive, efficient, and quick in solving problems. In particular, the Windows event logs are a handy tool to identify and troubleshoot issues.

What are Event Logs?

The Windows event log is a comprehensive and detailed record of all notifications generated by the Windows operating system. This includes system, security, and application notifications, errors, information, warnings, and more.

These event logs are highly useful for understanding the working of the operating system as well as the applications that run on it and using this information, you can quickly troubleshoot issues. You can diagnose the root cause easily and work towards addressing the problem. A related advantage is that such notifications help you to proactively predict future issues and prepare for the same.

Where to Find Event Logs?

The event logs are located by default in System32/Config folder and they have a .evt extension.

You can always move these files to a different location, but it is not as simple as copying and pasting because the log file name and the related location information are stored in the registry.

So, what should you do if you want to change the location of event logs? Simply follow the below steps.

  1. Click the Start menu and Run. Type “Regedit” and click OK
  2. On the left-hand pane, look for this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog.
  3. Navigate to the specific event log that you want to move such as Application, Security, System, etc.
  4. On the right-hand pane, double-click on the EventMessageFile

EventMessageFile

  • Under the “Value Data” field, type the new location.

Value Data field

  • Repeat these steps for all the log files and finally, exit the Registry. The changes will be automatically saved.
  • Lastly, restart your computer

From now on, the log files will be located in the new location.

Types of Event Logs

Your operating system handles many types of events and it has to send notifications and alerts accordingly. Putting all the information in the same log file can make it difficult for you to find information about different event categories.

This is why there are event logs for different categories and let’s look at the most important types of event logs now.

  • Application Event Log This log file contains events that are caused by programs/applications that run on your system. What events get written on the log file is determined by the programmer/developer who has written the code for this application. Every application installed in your system will have a separate application event log.
  • Security Event Log The security event log file contains security-related events such as the number of successful and failed logins, resource usage, remote connections, and more. You can change what events are recorded in this log file but must be logged in as a user with admin rights.
  • Systems Event Log This log file contains events that are triggered by Windows service components and this list is determined by the Windows operating system.
  • Directory Service Log The Directory Service Log file contains Active Directory (AD) related events and you can see this file only on systems that act as domain controllers.
  • DNS Server Log This log file is located on DNS servers only and as you may have guessed, will contain events related to the resolution of DNS names.

There are many more log files, but these are the most prominent and commonly-used ones.

Now that you have an idea of what event log files and their types, let’s see how you can forward them from one system to another, and the rationale behind this process.

Event Log Forwarding

The Windows operating system allows it to be forwarded from one host to another. This can be a big advantage when you have to manage multiple systems within a network. You can configure all the event logs to be forwarded to a centralized system, so you can easily monitor them and more importantly, take the necessary proactive steps to prevent major failures.

All these forwarded events are stored in a file called Forwarded Events Log.

In this article, let’s see how you can configure systems to send their event logs to a centralized system, where to access this centralized log file, how to glean information from it, and what are some of the third-party tools that you can use to save time and effort.

Let’s start with the configuration.

Configuring Systems to Forward and Receive Event Logs

The Windows operating system automatically generates the event logs, so no additional effort is required from your end for the same. However, you must set up the source computers to forward event logs to a central system.

To do this, open your command prompt with admin permissions and execute the following command.

C:\> winrm quickconfig

Also, add the receiving computer to the local Administrators group of each source computer.  This should allow the source computers to forward their event logs to the centralized computer.

Now, moving on to the centralized computer, you must configure this to receive event logs. Again, open your command prompt with admin privileges and enter the following command.

C:\> wecutil qc

Change Subscription Properties

After you add those configurations, change the subscription properties so your computers know what events are being collected by the receiver. To do this, follow the below steps.

  • Log in to the device with administrator privileges and open the Event Viewer app. The easiest way is to right-click on Windows and search for it.
  • On the left-hand pane, look for an option called Subscriptions and click it.
  • On the rightmost pane, look for an option called “Create Subscription” and click that.

Create Subscription

  • This will open a new window called subscription properties and in that, select the collector or receiving computer and the events you want the source system to forward.

subscription properties

Once you set up these properties, the source computer will automatically forward log events to the receiving computer.

Moving on, let’s look at some third-party tools that can ease the process of event log forwarding.  These tools are particularly useful for those who are not tech-savvy or those who want to spend less time managing multiple accounts.

Event Log Forwarding Tools

Some of the well-known tools for event log forwarding are:

  1. SolarWinds Event Log Forwarder – FREE TOOL This free tool from SolarWinds forwards events to Syslog services. You can even filter these events based on a host of parameters to forward just the information you want.
  2. ManageEngine Free Syslog Forwarder Another free tool that comes in handy for sending syslogs to different destination servers. It can also receive or even block syslogs from specific devices.
  3. Kiwi Syslog This is an advanced tool that centralizes and simplifies log forwarding and management.
  4. Netwrix Event Log Manager This freeware tool collects event logs from computers in your network, analyzes them, and sends alerts in real-time.

1. SolarWinds Event Log Forwarder – FREE TOOL

SolarWinds Event Log Forwarder

This event log forwarder from SolarWinds automatically forwards Windows event logs to any Syslog service. You can also use this tool to forward specific Windows events identified by their event ID, users, keywords, source, and more.

Features

Below are some of the salient features of SolarWinds Event Log Forwarder.

  • Automatically sends events from servers and workstations
  • Exports event data from Windows systems.
  • Sends events to multiple servers via UDP and TCP
  • Alerts, stores, and audits activities
  • Filters events to collect only the information you need

Pricing: 100% FREE.

Download: Click here to download this free tool.

Download Button

2. ManageEngine Syslog Forwarder

ManageEngine Syslog Forwarder

ManageEngine Syslog Forwarder is a tool that allows you to send and receive Syslog files from one device to another.

Features

The salient features of ManageEngine Free Syslog Forwarder are:

  • Allows you to block Syslog from specific devices
  • Forwards messages simultaneously to 10 servers
  • Sends Syslog messages from Unix/Linux devices
  • Makes it easy to receive messages from any number of devices
  • You can configure this tool to get messages from select network devices

Pricing: 100% FREE. Click here to download this tool.

3. Kiwi Syslog

Kiwi Syslog

Kiwi Syslog from SolarWinds is an advanced tool that enables you to centralize log management and simplify the process of event log forwarding from one device to another.

Features

Let’s now take a detailed look at the features of this tool.

  • Centralized Management Managing the logs of a bunch of computers in your network can quickly get out of control. Also, managing them on a system-by-system basis may not always be practical. This is where Kiwi Syslog can come in handy. It brings all the event logs together on a single console, so you can quickly find the information you want.
  • Real-time Alerts Kiwi Syslog sends real-time alerts based on Syslog messages and SNMP traps. It can receive them from UNIX, Linux, and Windows systems and analyze them for possible threats. These alerts can be a game-changer when it comes to identifying and mitigating security threats.
  • Automatic Response You can set up Kiwi Syslog to automatically respond to certain messages in a particular way.  Based on the message, you can set up Kiwi Syslog to trigger emails, run scripts, forward messages, and any other custom action.
  • Meets Regulatory Compliance Some industry standards such as HIPAA and PCI DSS require you to archive log messages for a certain period. Kiwi Syslog automatically cleans the logs and archives them to help your business to comply with these standards. Similarly, it also handles the necessary documentation required for compliance and internal audits.
  • Filtering and Buffering With Kiwi Syslog, you can filter any message by hostname, IP address, and timestamp to quickly find the information you want. Also, you can buffer up to 10 million messages and 1,000 emails to handle heavy loads easily.
  • Log Forwarding Kiwi Syslog allows you to forward event logs to multiple servers using UDP or TCP, as the case may be. You can even specify the events that must be forwarded based on type and keywords. As you can see, Kiwi Syslog can be a handy tool for managing all your log events in a single place, so you can make better use of them for troubleshooting and for predicting future events.

Pricing: Kiwi Syslog costs $329 per installation and this is a perpetual license, so there are no monthly/yearly payments to track. Click here to try it for free for 14 days.

4. Netwrix Event Log Manager

Netwrix Event Log Manager is a freeware tool that collects messages from different sources, consolidates them, and archives event logs for compliance.

Features

Here’s a brief look at Netwrix Event Log Manager’s features.

  • Consolidates all events in a central location for better visibility and management.
  • Sends notifications about critical events.
  • Stores logs for further analysis and to meet compliance requirements.
  • Automates the process of log collection and monitoring,

Pricing: 100% FREE. Click here to download this freeware.

These are some of the event log forwarding tools that can make this process easier and more effective for you.

Conclusion

To conclude, logs are an important part of your overall network as they act as a gateway to the health and performance of your devices. Windows will automatically capture different events and will log them in their respective files.

As a user, you can always forward these event logs to a central computer, so you can filter, search, analyze, and manage them better. But manually setting up the configurations can be difficult, especially if there are many computers in your network.

This is where third-party tools like Kiwi Syslog and SolarWinds Event Log Forwarder come in handy. We hope the brief description of these different tools gives you an idea of what they can do for your organization, so you can choose accordingly.

If this was interesting, you can always browse through our other guides!