use the following search parameters to narrow your results:
e.g.(and 'dog' reddit:'aww' site:'imgur.com')
(and 'dog' reddit:'aww' site:'imgur.com')
see the search faq for details.
advanced search: by author, community...
Way to centralize Windows event log viewing? (self.sysadmin)
submitted 5 months ago by spiralsmurfWindows Admin
Is there a way to centralize the Windows event log viewing onto a single server? I'm not referring to opening event viewer and connecting to different servers, but actually having them ship logs to a central machine much like syslog.
[–]Blahbl4hblah 6 points7 points8 points 5 months ago
windows server 2k8+ can centralize eventlogs with "event forwarding"
[–]Fart_and_Dart 0 points1 point2 points 5 months ago
Indeedy. I do this! :) Need 2k8 mind as the collector I think. I didnt know until just now, but I think XP clients and Windows 2k3 Servers can be subscribed to.
http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx
[–]spiralsmurfWindows Admin[S] 0 points1 point2 points 5 months ago
Yes, there is an update for xp/03 that will let them forward. I just set this up for a small client, but I am going to try Splunk for a larger client with 25+ servers.
[–]darksim905Hot Spare Windows Sysadmin 0 points1 point2 points 5 months ago
When you forward the events, do the events stay on that machine, or get pushed/parsed to the server? Can you delete the events after a certain amount of time/after viewing? That would be pimp.
[–]5y5tem5 1 point2 points3 points 5 months ago
these maybe of interest.
http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx
http://www.avecto.com/documents/solution-guides/EventCentralization.pdf
[–][deleted] 5 months ago
[deleted]
[–]da7rutrak 2 points3 points4 points 5 months ago
Much, much love for Splunk.
Oh Splunk, free shirts if you just ask at conventions. Because ninjas are too busy :)
[–]JerkyChew 1 point2 points3 points 5 months ago
You don't need an agent, you can get all the event logs via remote WMI, although I believe if you go that route Splunk needs to run as a domain admin.
[–]kordless 4 points5 points6 points 5 months ago
Use Snare (http://www.intersectalliance.com/projects/BackLogNT/) to ship them off to a centralized syslog server you set up or a service like Loggly. Solarwinds also writes a syslog server for Windows, which could be used instead of a Linux based syslog destination.
[–]CanDivideByZeroshutdowning -1 points0 points1 point 5 months ago
GFI events Manager. It's not free though.
http://www.gfi.com/eventsmanager
[–]AlmostPerson 0 points1 point2 points 5 months ago
EventSentry works nice and has a Web interface to view. Can also send email alerts for specific events.
[–]whateverradar 0 points1 point2 points 5 months ago
kiwi sys log server. http://www.kiwisyslog.com/kiwi-syslog-server-overview/
I love it.
[–]spiralsmurfWindows Admin[S] -1 points0 points1 point 5 months ago
nvm, found this http://windowsecurity.com/articles/Centralized-Auditing-here-FREE.html
Unless you guys have a better suggestion.
all it takes is a username and password
create account
is it really that easy? only one way to find out...
already have an account and just want to login?
login
[–]Blahbl4hblah 6 points7 points8 points ago
[–]Fart_and_Dart 0 points1 point2 points ago
[–]spiralsmurfWindows Admin[S] 0 points1 point2 points ago
[–]darksim905Hot Spare Windows Sysadmin 0 points1 point2 points ago
[–]5y5tem5 1 point2 points3 points ago
[–][deleted] ago
[–]da7rutrak 2 points3 points4 points ago
[–]darksim905Hot Spare Windows Sysadmin 0 points1 point2 points ago
[–]JerkyChew 1 point2 points3 points ago
[–]kordless 4 points5 points6 points ago
[–]CanDivideByZeroshutdowning -1 points0 points1 point ago
[–]AlmostPerson 0 points1 point2 points ago
[–]whateverradar 0 points1 point2 points ago
[–]spiralsmurfWindows Admin[S] -1 points0 points1 point ago