- Windows 11 allows forwarding events to Syslog servers or SIEM platforms using agents or native functions.
- There are multiple configuration options with different levels of security: from UDP without encryption to TCP with TLS and mutual authentication.
- Tools such as Pandora FMS or ManageEngine offer advanced remote collection methods, especially useful in corporate environments.
- When setting up collection in Windows, it is important to consider the permissions, enabled services and security in the transmission of records.
Centralize Windows 11 event logs in a SIEM solution or a Syslog server is a key strategy to improve the security and IT infrastructure management. Integrate these logs facilitates faster and more efficient incident analysis, audits, and diagnostics.
Today, there are different methods and tools to achieve this configuration: from native Windows solutions to external agents and management platforms like Pandora FMS or ManageEngine. In this article, we'll explore all the possibilities. from the most basic to advanced configurations, including options with and without encryption, free agents, and integration possibilities with systems such as Azure Local.
Basic options for sending logs from Windows to a Syslog server
Before going into more specialized configurations, it is useful to know the simple and free alternatives to forward Windows logs to a remote destination.
Free agents available
- Snare Epilog: Limited free version of the InterSect Alliance product. It requires configuration via a web interface and doesn't offer much flexibility.
- CorreLog Windows Agent: Powerful and free via registration. It's configured via text file, installed as a service, and even allows you to log application openings on the system.
- Datagram SyslogAgent: One of the simplest and most robust. Based on NTSyslog, it is configured via the Windows registry and provides caching when the remote server is unavailable.
These solutions are ideal for domestic environments or small infrastructures where centralized control and encryption of messages are not required.
Log Forwarding in Azure Local with PowerShell
In more controlled environments like Azure Stack HCI or Azure Local, Microsoft provides specific cmdlets for configure and manage log forwarding using the Syslog protocol.
Featured cmdlets
The command is used Set-AzSSyslogForwarder to configure forwarding settings. Its parameters include:
- -ServerName: IP address or FQDN of the Syslog server.
- -ServerPort: listening port of the remote server.
- -UseUDP: uses UDP as transport protocol.
- -NoEncryption: allows sending events in plain text.
- -ClientCertificateThumbprint: to establish mutual authentication using certificates.
Once configured, forwarding is activated with Enable-AzSSyslogForwarder and can be disabled using Disable-AzSSyslogForwarder .
Operating modes
Depending on the level of security required, different variants can be applied:
- UDP without encryption: Very easy to set up, but no protection against eavesdropping.
- TCP without encryption: improves message delivery but is still not secure.
- TCP with TLS and server authentication: The client validates the server certificate before sending the logs.
- TCP with TLS and mutual authentication: Both client and server validate their identities using certificates, offering the highest level of security.
Checking and Deleting Settings
To check the current status of log forwarding, use Get-AzSSyslogForwarder with the following optional parameters:
- -Local: Displays the current host configuration.
- -PerNode: detail for each node.
- -Cluster: Displays the global settings for Azure Local.
If you want to completely delete or reset the configuration, use Set-AzSSyslogForwarder -Remove.
Remote log collection in Windows environments
For more complex or enterprise scenarios, remote collection can be used via WMI, remote sessions, or native connectivity with event viewers in Active Directory domains. ManageEngine documents an advanced way to do this, which includes comprehensive steps:
Required Permission
- Create a service account in the domain with permissions to access the logs.
- Add that account to groups like “Event Log Readers” and “Distributed COM Users.”
- Grant privileges to manage audit logs using local policies or GPOs.
- Configure WMI access and DCOM permissions if necessary.
Technical steps
Once the permits have been granted:
- Enable connectivity through the firewall.
- Enable the Event Collector service on the target server.
- Configure the WRM protocol on the source machines.
- Create a subscription from the event viewer by indicating the source devices, log types, and desired filters.
Monitoring with Pandora FMS
Pandora FMS also offers a very complete way to collect logs both in Windows and in Linux, integrating your data into OpenSearch and enabling SIEM correlation.
Collection from Windows
- In text format: for files such as Apache logs or custom services.
- From system events: define filters using
module_source(System, Application, Security) and parameters likemodule_eventtype,module_eventcode,module_application.
Harvesting from Linux
Modules are used that analyze routes such as /var/log/messages o /var/log/secure searching for patterns. You can exclude successful HTTP status codes or search using regular expressions.
Integrated Syslog Server
Activating an option in pandora_server.confPandora can receive logs via Syslog directly using multiple processing threads and a configurable queue.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.