Documentation forKiwi Syslog Server

Configure Log Forwarder settings

The Event Log Forwarder for Windows Subscriptions and Syslog Server settings are stored in the LogForwarderSettings.cfg configuration file, located in the product installation directory: \Program Files (x86)\SolarWinds\SolarWinds Event Log Forwarder for Windows. The configuration file uses XML markup language.

You can make changes to Subscription or Syslog Server settings from this configuration file, or from the Log Forwarder user interface. When a change is saved within the user interface, the configuration file is updated and the Service re-initializes to pick up the changes immediately.

EventLogSubscriptions

Edit the details of an event log subscription used by Log Forwarder. Each subscription is contained under an individual <EventLogSubscription> element. You can configure the event type, event sources, event IDs, tasks, and so on, for specific subscriptions.

Element Description
<channels>
  • Channels monitored by the subscription, for example, System or Windows PowerShell.
  • Each channel type must be entered on an individual <string> child-element.
  • Example:

    • <channels>

    <string>Application</string>

    <string>Microsoft-Windows-Application Server-Applications/Admin</string>

    </channels>
<types>
  • The event type logged by the subscription.
  • The event type is indicated by an integer. Each type must be entered on an individual <int> child-element.
    • 1 = Error
    • 2 = Warning
    • 4 = Information
    • 8 = Audit success
    • 16 = Audit failure
  • Example:

    • <types>

    <int>1</int>

    <int>2</int>

    </types>
<sources>
  • Source device of the event.
  • The source must be entered on an individual <string> child-element.
  • To indicate that all device sources should be used, leave the <source> element empty.
<eventIDs>
  • Events to include, or exclude. For excluded events, type a minus sign before the ID: 1, -3, 5
  • Each eventID must be entered on an individual <string> child-element.
<categories>
  • Task category of the event.
  • Each task category must be entered on an individual <string> child-element.
  • To indicate that all task categories should be used, leave the <source> element empty.
<keywords>
  • Keywords used by the event subscription filter. Event Log Forwarder has specific pre-configured keywords that must be used.
  • Each keyword must be entered on an individual <string> child-element.
  • To indicate that all keywords should be used, leave the <source> element empty.
<users>
  • User types used by the event subscription filter. For example: Admin, System, Local
  • Each user must be entered on an individual <string> child-element.
<computers>
  • Name of the device the event subscription filters by. For example: AdminMachine, Workstation05
  • Each computer must be entered on an individual <string> child-element.
<facility>
  • Default syslog facility priority for the event subscription.
  • The facility is determined by an integer. Use the appropriate facility ID:
    • 1 = Kernel (messages)
    • 2 = User-level messages
    • 3 = Mail (System)
    • 4 = Security/authorization messages
    • 5 = Messages generated internally by syslogd
    • 6 = Line printer subsystem
    • 7 = Network news subsystem
    • 8 = UUCP (subsystem)
    • 9 = Clock (daemon)
    • 10 = Security/authorization messages
    • 11 = FTP (daemon)
    • 12 = NTP (subsystem)
    • 13 = Log (audit)
    • 14 = Log (alert)
    • 15 = Clock (daemon)
    • 16 = Local use 0 (local0)
    • 17 = Local use 1 (local1)
    • 18 = Local use 2 (local2)
    • 19 = Local use 3 (local3)
    • 20 = Local use 4 (local4)
    • 21 = Local use 5 (local5)
    • 22 = Local use 6 (local6)
    • 23 = Local use 7 (local7)
  • Example:

    • <facility>0</facility>
<enabled>
  • True/false boolean that determines if the configured event subscription is active.
  • This triggers the Enable/Disable button on the Subscriptions tab.
  • Example:

    • <enabled>true</enabled>
<name>
  • Name of the configured event subscription.
  • Example:

    • <name>New Event Log Subscription</name>
<HidePreview>
  • Activates the "preview of matching events" window in the event subscription configuration window.
  • When shown, the preview window displays the records that matches the event subscription criteria.
  • Example:

    • <HidePreview>0</HidePreview>

SyslogServers

Edit the details of a syslog server used by Log Forwarder. Each syslog server is contained under an individual <SyslogServer> element. You can configure the server name, IP address, port, and so on, for specific syslog servers.

Element Description
<enabled>
  • True/false boolean that determines if the configured syslog server is active.
  • This triggers the Enable/Disable button on the Syslog Server tab in Log Forwarder.
  • Example:

    • <enabled>true</enabled>
<SendMode>
  • Protocol used for sending messages from the syslog server
  • The protocol is indicated by an integer.
    • 0 = UDP
    • 1 = TCP
  • Example:

    • <SendMode>0</SendMode>
<SourceFormat>
  • Server address system type of the syslog server.
  • The source format is indicated by an integer.
    • 0 = IPv4
    • 1 = IPv6
    • 2 = FQDN
    • 3 = Host name
  • Example:

    • <SourceFormat>0</SourceFormat>