Nothing fancy here: just a quick note on directing Windows event logs and select application logs to a remote syslog server.

For a Unix admin, searching Windows logs is a frustrating experience. Just looking at the event viewer GUI hurts my eyes. One option is to redirect those logs to a Unix-based remote syslog collector.

Download and install Nxlog version appropriate for your OS here. Download the nxlog.conf here and edit a couple of things:

# Replace
define ROOT C:\Program Files (x86)\nxlog
# with where nxlog is actually installed

# Replace 
Module om_udp
Host 192.168.122.137
Port 514
# with the correct Protocol/IP/port of your rsyslog server

# Replace the <Input watchfile> and <Input watchfile2> 
# entries with the actual application log files you want
# to monitor.

When done editing nxlog.conf, don’t forget to restart the nxlog service from the Services control panel.

It is easier to find the application logs of interest by using the Linux subsystem for Windows. I have Kali Linux installed. Type this command in the terminal window to locate recently-modified application *.log files.

find "/mnt/c/Program Files"* -type f -name "*.log" -mtime -30 2>/dev/null | sed -e 's@/mnt/@@g' -e 's@^c@C:@g' -e 's@\/@\\@g'

Then use these paths to add new <Input_watchfile#> sections to the nxlog.conf file. Once again, don’t forget to restart the nxlog service after editing the config file.

On your rsyslog server you will then be able to see stuff like:

Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Successfully completed the Group Policy Service initialization phase.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: The Group Policy Client service is currently configured as a shared service.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Initializing and reading current service configuration for the Group Policy Client service.
Jun 12 20:23:04 DESKTOP-GKM9S09 Microsoft-Windows-GroupPolicy[14232]: Initializing service instance state to detect previous instances of the service.