Documentation forKiwi Syslog Server NG

Deploy the program installer

The Event Log Forwarder for Windows installer is provided as a standard application executable file (.exe) and as a Windows Installer Package file (.msi). The Windows Installer Package file is provided for "silent" deployments using the /quiet switch.

To run the .msi file on the target machine, use the following command syntax: SolarWinds_Event_LogForwarder_<Version>_Setup.msi /quiet

The .msi installer package for Event Log Forwarder for Windows does not include the prerequisites installer, which automatically downloads and installs any required prerequisite software, such as .NET Framework 4.0 from Microsoft. In order to successfully deploy Event Log Forwarder, first ensure that the required software is already installed on your server.

Event Log Forwarder configuration file

Configuration information for Event Log Forward for Windows is contained in a file named LogForwarderSettings.cfg.

The configuration file contains a nest hierarchy of XML tags and subtags that specify the configuration settings. It is located in the installation directory of Event Log Forwarder, usually C:\Program Files (x86)\SolarWinds\SolarWinds Event Log Forwarder for Windows. To deploy the configuration file to a target machine, copy the LogForwarderSettings.cfg file to the Event Log Forwarder for Windows installation directory after the .msi file has been successfully installed.

All configuration information resides between the <LogForwarderSettings> and </LogForwarderSettings> root XML tags. Configuration information between the tags is grouped into two main sections:

Both of the above groups are required.

<?xml version="1.0" encoding="utf-8"?>
<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
	<EventLogSubscriptions>
		...
	</EventLogSubscriptions>
	<SyslogServers>
		...
	</SyslogServers>
</LogForwarderSettings>

Example: Declare Event Log Subscriptions

For Event Log Subscriptions, each subscription is declared with an <EventLogSubscription> tag. The following LogForwarder.cfg code snippet declares to Event Log Subscriptions:

<?xml version="1.0" encoding="utf-8"?>
<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
	<EventLogSubscriptions>
		<EventLogSubscription>
			<channels>
				<string>Security</string>
			</channels>
			<types>
				<int>1</int>
				<int>2</int>
				<int>4</int>
				<int>8</int>
				<int>16</int>
			</types>
			<sources />
			<eventIDs />
			<categories />
			<keywords />
			<users />
			<computers />
			<facility>4</facility>
			<enabled>true</enabled>
			<name>New Security Event Log Subscription</name>	
			<description>Security Event Log - All Event Types 
(Error, Warning, Information, Audit Success, Audit Failure)</description>
		</EventLogSubscription>
		<EventLogSubscription>
			<channels>
				<string>System</string>
			</channels>
			<types>
				<int>1</int>
				<int>2</int>
				<int>4</int>
			</types>
			<sources />
			<eventIDs />
			<categories />
			<keywords />
			<users />
			<computers />
			<facility>10</facility>
			<enabled>true</enabled>
			<name>New System Event Log Subscription</name>
			<description>Security Event Log - Error, Warning and 
Information Event Types</description>
		</EventLogSubscription>
	</EventLogSubscriptions>
	<SyslogServers>
		...
	</SyslogServers>
</LogForwarderSettings>

Example: Declare syslog servers

For syslog servers, each syslog server is declared with an <Syslog Server> tag. The following LogForwarderSettings.cfg file declares two syslog servers in Log Forwarder.

<?xml version="1.0" encoding="utf-8"?>
<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
	<EventLogSubscriptions>
		...
	</EventLogSubscriptions>
	<SyslogServers>
		<SyslogServer>
			<serverName>Syslog Server A</serverName>
			<IPAddress>10.190.2.243</IPAddress>
			<Port>514</Port>
			<enabled>true</enabled>
			<SendMode>0</SendMode>
			<SourceFormat>0</SourceFormat>
		</SyslogServer>
		<SyslogServer>
			<serverName>Syslog Server B</serverName>
			<IPAddress>192.168.1.10</IPAddress>
			<Port>514</Port>
			<enabled>true</enabled>
			<SendMode>0</SendMode>
			<SourceFormat>0</SourceFormat>
		</SyslogServer>
	</SyslogServers>
</LogForwarderSettings>

Event log subscriptions

Each configured event log subscription must include the following tag declarations:

Tag Description
<channels> A list of valid event log channels (e.g. Application, System, Security) that are subscribed to. Each is a subtag of type <string>.
<types>

A list of valid event log types. Each is a subtag of type <int>. Valid values are:

  • 1 - Error
  • 2 - Warning
  • 4 - Information
  • 8 - Audit Success
  • 16 - Audit Failure
<sources> A list of valid event log sources. Each is a subtag of type <string>.
<eventIDs> A list of valid event IDs or event ID ranges. Each is a subtag of type <string>.
<categories> A list of valid event log task categories. Each is a subtag of type <string>.
<keywords> A list of event keywords. Each is a subtag of type <string>.
<users> A list of users on the syslog server. Each is a subtag of type <string>.
<computers> A list of computers monitored by the syslog server. Each is a subtag of type <string>.
<facility> The default syslog facility number to use when generating a syslog message to send. For more information, see Syslog facility numbers.
<enabled>

Enables the event log subscription. Uses TRUE/FALSE syntax.

  • TRUE: the event log subscription is active in Log Forwarder.
  • FALSE: the event log subscription is inactive in Log Forwarder.

Events collected when the even log subscription is enabled are forwarded to the configured syslog servers.

<name> The name of event log subscription.
<description>

The description of the event log subscription.

Syslog facility numbers

A facility number (code) is used to specify the program type logging the syslog message. The list below identifies the default syslog facility numbers to use when generating a syslog message to send to a syslog server.

Facility Code
Kernal (messages) 0
User-level messages 1
Mail system 2
System (daemons) 3
Security / authorization messages 4
Messages generated internally by syslogd 5
Line printer subsystem 6
Network news subsystem 7
Unix-to-Unix Copy Protocol (UUCP) (subsystem) 8
Clock (daemon) 9
Security / authorization messages 10
File Transfer Protocol (FTP) (daemon) 11
Network Time Protocol (NTP) (subsystem) 12
Log (audit) 13
Log (alert) 14
Clock (daemon) 15
Local use 0 (local0) 16
Local use 1 (local1) 17
Local use 2 (local2) 18
Local use 3 (local3) 19
Local use 4 (local4) 20
  • Local use 5 (local5)
  • 21
    Local use 6 (local6) 22
  • Local use 7 (local7)
  • 23

    Syslog server subscription

    Each syslog server must include the following tag declarations.

    Tag Description
    <serverName> The name of the syslog server you are subscribing.
    <IPAddress>

    A valid syslog server IP address, host name, or FQDN.

    IP address must be IPv4 or IPv6.

    <Port> The syslog server port number. Default is 514.
    <enabled>

    Enables the syslog server. Uses TRUE/FALSE syntax.

    • TRUE: the syslog server is active in Log Forwarder.
    • FALSE: the syslog server is inactive in Log Forwarder.

    Events collected are only forwarded to syslog servers that are enabled.

    <SendMode>

    Decides which protocol to use when sending logs:

    • TCP
    • UDP
    • 1- TCP
    • 0- UDP
    <SourceFormat> Decides the server address format as IPv4 or IPv6.

    Sample syslog server subscription

    <?xml version="1.0" encoding="utf-8"?>
    <LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns: 
    xsd="http://www.w3.org/2001/XMLSchema">
    	<EventLogSubscriptions>
    		...
    	</EventLogSubscriptions>
    	<SyslogServers>
    		<SyslogServer>
    			<serverName>Syslog Server A</serverName>
    			<IPAddress>10.190.2.243</IPAddress>
    			<Port>514</Port>
    			<enabled>true</enabled>
    			<SendMode>0</SendMode>
    			<SourceFormat>0</SourceFormat>
    		</SyslogServer>
    		<SyslogServer>
    			<serverName>Syslog Server B</serverName>
    			<IPAddress>192.168.1.10</IPAddress>
    			<Port>514</Port>
    			<enabled>true</enabled>
    			<SendMode>0</SendMode>
    			<SourceFormat>0</SourceFormat>
    		</SyslogServer>
    	</SyslogServers>
    </LogForwarderSettings>