Running Syslog-NG on Windows
This post describes running syslog-ng as a server on Windows. In another post, we describe how to send Windows Event Logs to syslog.
There are many great commercial syslog servers for Windows. There are not many options for those looking for a free alternative. One option is Aonaware. Another option is to install syslog-ng through cygwin. Cygwin is a Linux-like environment run inside a windows command shell. Cygwin runs on all current desktop and server versions of Windows. In this post, we will walk through setting up syslog-ng on a windows host.
- First, visit the Cygwin website to download the setup.exe application. Save, then run setup.exe.
- Choose “Install From Internet”
- Select the directory to install into and the user to install for (leave this as “all users”).
- Enter the directory for local packages. Accepting the default location is fine.
- Choose your Internet connection type (direct or proxy)
- Select a site to download from. Any one should be fine.
- At the “install packages” window, type is “syslog” in the search box. You will see “Admin” below. Expand the admin section, and you will see syslog-ng. Click the word “skip” until you see 3.0.1 (or whatever the latest supported version is).
- Also choose the following packages:
- Admin/cygrunsrv
- Editors/VIM
- Gnome/glib
- Finish the installation.
Now, launch the Cygwin shell from the start menu. Be sure to right click and “run as administrator”. First, run the command “/bin/syslog-ng-config” to create the config file. Answer “yes” to the question on installing syslog-ng as a service
We can now edit and customize the syslog-ng config file, located in /etc/syslog-ng.conf. By default, the config contains the following:
$ less /etc/syslog-ng.conf
@version: 3.0
options {
keep_hostname(yes);
owner(“system”);
group(“root”);
perm(0664);
flush_lines(0);
};
source applications {
unix-dgram(“/dev/log”);
internal();
};
source kernel {
file(“/dev/kmsg”, program_override(“kernel: “));
};
destination messages {
file(“/var/log/messages”);
};
log {
source(applications); destination(messages);
};
log {
source(kernel);
destination(messages);
};
A new service called “CYGWIN syslog-ng” is now registered in Windows and appears in the list of services in the Windows control panel. To start the syslog-ng service from the cygwin command line, run the following command:
cygrunsrv -S syslog-ng
Now, we have a fully functional instance of syslog-ng running on our Windows system.
Out of curiosity, do you have any idea what kind of performance hit the cygwin layer takes out of syslog-ng?
I don’t have anything concrete, but I will say that cygwin appears to be quite light weight and I’d be surprised if it had a big impact.
Question:
Why not use the free Kiwi syslog server?
What is a good way to view/filter the log files produced by syslog-ng on windows 7 ?
The free Kiwi syslog server is limited in a lot of respects. I would like logs based on host IP and that is not possible with the free Kiwi. You can purchase the registered version to get that functionality (starting at 200 euro where I am).
I need to spoof_source option work on windows. I have compiled it from sources but i have problem with modules (DLL) any idea or step-by-step?
Thanks
[...] Splunk free version will definitely not work for me. I am currently looking into Syslog-ng (running on windows) and Snare Audit and EventLog Management. Maybe I can get something to work for me. Sure wish this [...]
Hi, I have installed syslog-ng on windows and configured it. I have an issue when writing the log. For some reason it duplicates and write it 3 times for single event/entry. syslog-ng.conf looks OK.
Please advise.
syslog-ng.conf:
===============
@version: 3.0
options {
keep_hostname(yes);
owner(“SYSTEM”);
group(“root”);
perm(0777);
flush_lines(0);
chain_hostnames(no);
};
source applications {
unix-dgram(“/dev/log”);
internal();
};
source kernel {
file(“/dev/kmsg”, program_override(“kernel: “));
};
destination messages {
file(“/var/log/messages”);
};
log {
source(applications);
destination(messages);
};
log {
source(kernel);
destination(messages);
};
# ESB Application Logging
source s_tcp {
tcp(port(8302) keep-alive(yes) max-connections(1000));
};
template t_filetmpl {
template(“${S_ISODATE},${SOURCEIP},${PRIORITY},${PID},${MSGONLY}
“);
template_escape(no);
};
destination dp_app_audit_messages {
file(“/var/syslog-ng/ESB/DataPower/AppAudit/DPAudit${S_YEAR}-${S_MONTH}-${S_DAY}T${S_HOUR}.log”
owner(“L040281″) group(“root”) perm(0777)
template(t_filetmpl));
};
destination dp_sys_error_messages {
file(“/var/syslog-ng/ESB/DataPower/SysError/DPSysError${S_YEAR}-${S_MONTH}-${S_DAY}T${S_HOUR}.log”
owner(“L040281″) group(“root”) perm(0777)
template(t_filetmpl));
};
destination dp_app_error_messages {
file(“/var/syslog-ng/ESB/DataPower/AppError/DPAppError${S_YEAR}-${S_MONTH}-${S_DAY}T${S_HOUR}.log”
owner(“L040281″) group(“root”) perm(0777)
template(t_filetmpl));
};
filter f_dp_app_audit {
facility(local0) and
host(“ESBDPAppAudit”);
};
filter f_dp_sys_error {
facility(local0) and
host(“ESBDPSysError”);
};
filter f_dp_app_error {
facility(local0) and
host(“ESBDPAppError”);
};
log {
source(s_tcp);
filter(f_dp_app_audit);
destination(dp_app_audit_messages);
};
log {
source(s_tcp);
filter(f_dp_sys_error);
destination(dp_sys_error_messages);
};
log {
source(s_tcp);
filter(f_dp_app_error);
destination(dp_app_error_messages);
};
Output.log:
,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,1234,MVC0152,v01,XMLv01,{93bc8fd2-8616-4439-a697-ba7631db7e14},,2374,853,V1=49,340,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02,MVCAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:00
,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,1234,MVC0152,v01,XMLv01,{93bc8fd2-8616-4439-a697-ba7631db7e14},,2374,853,V1=49,340,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02,MVCAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:002011-12-13T17:39:39+11:00,10.126.11.57,notice,MVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,1234,MVC0152,v01,XMLv01,{93bc8fd2-8616-4439-a697-ba7631db7e14},,2374,853,V1=49,340,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
2011-12-13T17:39:39+11:00,10.126.11.57,notice,MVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,1234,MVC0152,v01,XMLv01,{93bc8fd2-8616-4439-a697-ba7631db7e14},,2374,853,V1=49,340,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,SVC0247,v1,ConditionalRoutev01,{93bc8fd2-8616-4439-a697-ba7631db7e14},476,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02,SVCAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:00
,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,SVC0247,v1,ConditionalRoutev01,{93bc8fd2-8616-4439-a697-ba7631db7e14},476,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02,SVCAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:002011-12-13T17:39:39+11:00,10.126.11.57,notice,SVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,SVC0247,v1,ConditionalRoutev01,{93bc8fd2-8616-4439-a697-ba7631db7e14},476,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
2011-12-13T17:39:39+11:00,10.126.11.57,notice,SVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,SVC0247,v1,ConditionalRoutev01,{93bc8fd2-8616-4439-a697-ba7631db7e14},476,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
,[notice] wsgw(ESBGatewayEPS01): trans(5904691)[response][10.126.11.125]: Completed,127.0.0.1:8039,SVC0247,v1,{93bc8fd2-8616-4439-a697-ba7631db7e14},{93bc8fd2-8616-4439-a697-ba7631db7e14},WPAC,,,VO-001,,BSB=032073,2335,2787,507,ESB2_ServiceProfile,Web Service Proxy,ESBGatewayEPS01,GWYAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:00
,[notice] wsgw(ESBGatewayEPS01): trans(5904691)[response][10.126.11.125]: Completed,127.0.0.1:8039,SVC0247,v1,{93bc8fd2-8616-4439-a697-ba7631db7e14},{93bc8fd2-8616-4439-a697-ba7631db7e14},WPAC,,,VO-001,,BSB=032073,2335,2787,507,ESB2_ServiceProfile,Web Service Proxy,ESBGatewayEPS01,GWYAudit_DEV,notice,10.126.11.572011-12-13T17:39:39+11:002011-12-13T17:39:39+11:00,10.126.11.57,notice,GWYAudit_DEV,[notice] wsgw(ESBGatewayEPS01): trans(5904691)[response][10.126.11.125]: Completed,127.0.0.1:8039,SVC0247,v1,{93bc8fd2-8616-4439-a697-ba7631db7e14},{93bc8fd2-8616-4439-a697-ba7631db7e14},WPAC,,,VO-001,,BSB=032073,2335,2787,507,ESB2_ServiceProfile,Web Service Proxy,ESBGatewayEPS01
2011-12-13T17:39:39+11:00,10.126.11.57,notice,GWYAudit_DEV,[notice] wsgw(ESBGatewayEPS01): trans(5904691)[response][10.126.11.125]: Completed,127.0.0.1:8039,SVC0247,v1,{93bc8fd2-8616-4439-a697-ba7631db7e14},{93bc8fd2-8616-4439-a697-ba7631db7e14},WPAC,,,VO-001,,BSB=032073,2335,2787,507,ESB2_ServiceProfile,Web Service Proxy,ESBGatewayEPS01
Expecting output in the log is
2011-12-13T17:39:39+11:00,10.126.11.57,notice,MVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,1234,MVC0152,v01,XMLv01,{93bc8fd2-8616-4439-a697-ba7631db7e14},,2374,853,V1=49,340,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
2011-12-13T17:39:39+11:00,10.126.11.57,notice,SVCAudit_DEV,[notice] mpgw(ServiceRouter02): trans(5626754)[response]: Completed,SVC0247,v1,ConditionalRoutev01,{93bc8fd2-8616-4439-a697-ba7631db7e14},476,ESB2_ServiceProfile,Multiprotocol Gateway,ServiceRouter02
2011-12-13T17:39:39+11:00,10.126.11.57,notice,GWYAudit_DEV,[notice] wsgw(ESBGatewayEPS01): trans(5904691)[response][10.126.11.125]: Completed,127.0.0.1:8039,SVC0247,v1,{93bc8fd2-8616-4439-a697-ba7631db7e14},{93bc8fd2-8616-4439-a697-ba7631db7e14},WPAC,,,VO-001,,BSB=032073,2335,2787,507,ESB2_ServiceProfile,Web Service Proxy,ESBGatewayEPS01
I have done all of the above but I am getting the error “/bin/syslog-ng-config: line 176: cygrunsrv: command not found” after I run the /bin/syslog-ng-config command. Can someone tell me what this error is?