Shipping Windows Logs

If you are not familiar with syslog, here are a few options to getting your logs to Graylog.


Graylog Sidecar

Graylog Sidecar is an extension to Graylog and can essentially perform processing on logs before shipping them over to the central Graylog. This can help your Graylog instance in freeing up processing in extracting fields for incoming messages. For more information, follow the link below.


NXLog has been around for a while and is still quite useful. It is very easy to set up, and configure, but NXLog must be installed on each server that is set to forward logs. You can either manually do this or deploy through a script/package can be a pain if you ever want to change configurations globally on your NXLog configuration. In a Windows environment, there is an even better solution built into Windows called Windows Event Forwarding.


Windows Event Forwarding

This feature in Windows is quite useful as you can create specific subscriptions for all of your servers through Group Policy and have those servers send only the specific logs that you want to see. For instance, if you only want to Event ID 4720, new user created,  you can customize your WEF instance to direct all the servers in the GPO to only send that one specific log instead of having to configure that on each server using NXLog. We will go into further detail below.