access windows log files from linux

My gut feeling is that your second route will be the more easy to follow. The first route involves touching two different systems, each one with its own quirks:

• install+setup remote syslog server on Linux;
• make Windows send the logs to remote syslog server;
• also setup the syslog reading on Linux

This approach seems to create more "points of failure" (imagine a network problem blocking Windows from logging its events to the remote syslog).

The first route would require only installing a wmi client for Linux. I'd recommend wbemcli. (On Debian/Ubuntu try apt-get install wbemcli.) With this, Windows logging (which in my experience is rock-solid) remains unchanged. Even if you have temporary network problems, your access to un-compromised logs will return after the network came back to full operation.

As you may know, WMI is just Microsoft's implementation of WBEM (Web-based Enterprise Management). WBEM in turn is an industry standard defined by the Distributed Management Task Force consortium.

There are some differences in MS's WMI from the WBEM standard (as it's mostly the case when MS says they 'implement a standard'). For example, it uses a different transport protocol than stock WBEM (WBEM typically uses HTTP over TCP/5988 or HTTPS over TCP/5989. WMI also uses slightly different namespaces. Otherwise, they are mostly identical.

• Great answer! Are there any obstacles with WMI/WBEM approach, like need to setup additional stuff on each windows machine. For instance, additional rights, additional firewall rules etc? With WMI I can access only Event Logs, not for instance Exchange logs right?

  damir

  – damir

  2010年08月11日 13:16:09 +00:00

  Commented Aug 11, 2010 at 13:16
• @damir: Sorry, I don't know the answer to your 'Exchange logs' question. I never had to deal with Exchange.

  Kurt Pfeifle

  – Kurt Pfeifle

  2010年08月11日 15:00:55 +00:00

  Commented Aug 11, 2010 at 15:00
• An example wbemcli command would be nice.

  mivk

  – mivk

  2020年12月10日 15:52:03 +00:00

  Commented Dec 10, 2020 at 15:52

I can't comment on those two but I know a third: Install a small server on Windows which can read the log and which responds to queries or pushes new events to Linux. I used Python with the win32 module for tasks like this.

• Thats additional overhead for administration, if nothing else proves reliable i will use your method

  damir

  – damir

  2010年08月11日 09:37:00 +00:00

  Commented Aug 11, 2010 at 9:37
• @Aaron Digulla, is there any documentation on how to do this? Rather than polling or querying, I'd like my Linux machine to just listen for Windows login events from a domain controller, so this approach sounds more suitable. Thanks.

  Nagev

  – Nagev

  2017年11月16日 10:56:56 +00:00

  Commented Nov 16, 2017 at 10:56
• @Nagev You need to read up on the Windows APIs to access the event log. There are examples for this: stackoverflow.com/questions/11219213/… Next, you need to write a service which allows you to read this from a Linux client. A simple REST based service will work (there are tons of examples how to do REST with Python, just google). Just make sure you use some form of encryption for sensitive data (use https:// to access the REST server).

  Aaron Digulla

  – Aaron Digulla

  2017年11月28日 12:54:57 +00:00

  Commented Nov 28, 2017 at 12:54

Yes.. you need git-bash for windows, a ssh server (I would recommend bitvise sshd, no personal connections, but its very stable and well-tested).

Once you have done that, you need to put git-bash on windows path.. then you can use

ssh [email protected] 'bash -c "tail -n 20 -F /c/Users/username/Desktop/logging_file.log"'

More details here: https://stackoverflow.com/a/50936183/4752883

• windows
• linux
• logging
• wmi
• syslogd