Configuring SNARE to capture Windows Event logs

Previous  Top  Next

Kiwi Syslog Daemon is unable to natively read the Windows event logs.

If you are wanting to collect information from the Windows event logs, you will need to use a third-party application. For this purpose, we recommend Snare Agent for Windows, which is freely available from: http://www.intersectalliance.com/projects/SnareWindows/index.html

Snare converts the Windows Event logs into syslog messages which can then be sent to Kiwi Syslog Daemon. At this point, messages can be handled in the normal way, logging to a text file, or a database of your choice.

If you want to capture Windows user logon/logoff events in the Windows event logs; have a look at the following examples of how to enable logon/logoff events, at: http://support.microsoft.com/kb/300549


Once you have downloaded and installed Snare Agent for Windows, you will need to configure it. From the default window, select 'Network Configuration'.

1.

In the field 'Destination Snare Server address', specify the IP Address of the system that you have Kiwi Syslog Daemon installed on.

2.

The 'Destination Port' needs to be 514, as this is the port that Kiwi Syslog Daemon listens on, for syslog messages.

An example of the Snare Network Configuration below:



Once you have pressed the 'Change Configuration' button, we recommend that you restart the Snare service via the Windows Services Control panel applet; to ensure the changes are read correctly.

You will need to ensure that the port you have Kiwi Syslog Daemon listening on (514) , is not being blocked by your Windows firewall.

If you have any issues receiving syslog messages. have a look at the following article in our Knowledge Base: http://www.kiwisyslog.com/kb/info:-kiwi-syslog-daemon-is-not-receiving-messages/