I want to collect logs from various machine (windows and linux) to a centralized log server. The log server has been configured and is listening on port 514 tcp and udp for log in syslog protocol.
I have linux machines sending their logs there just fine.
I also want to forward windows event logs there. For that purpose I'm using SolarWinds event log forwarder here: https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows
Now I also want to have print event logged, so I followed tutorial here: https://www.howtogeek.com/445760/how-to-check-your-printed-document-history-in-windows-10/
Basically:
- open event viewer,
- open application & service logs > microsoft > windows > PrintService > operational > properties > then check "enable logging"
but then I checked my syslog server, I cannot find the print logs (even though I have some other logs captured from windows)
$ ls
local0.info.MSWinEventLog#0116#011Application#01110#011Wed.log local0.info.MSWinEventLog#0116#011Application#01113#011Wed.log local0.info.MSWinEventLog#0116#011Application#0115#011Wed.log local0.info.MSWinEventLog#0116#011Application#0119#011Wed.log
local0.info.MSWinEventLog#0116#011Application#0111#011Wed.log local0.info.MSWinEventLog#0116#011Application#0112#011Wed.log local0.info.MSWinEventLog#0116#011Application#0116#011Wed.log
local0.info.MSWinEventLog#0116#011Application#01111#011Wed.log local0.info.MSWinEventLog#0116#011Application#0113#011Wed.log local0.info.MSWinEventLog#0116#011Application#0117#011Wed.log
local0.info.MSWinEventLog#0116#011Application#01112#011Wed.log local0.info.MSWinEventLog#0116#011Application#0114#011Wed.log local0.info.MSWinEventLog#0116#011Application#0118#011Wed.log
I know it's not the print logs because in my configuration, local0 is for "application" log, local1 for all events, then local2 for print logs
But when I see in event viewer, I can see that the events have been captured:
What am I doing wrong? Why PrintService log is not captured at all?
1 Answer 1
After researching some other alternative, I managed to find nxlog.co (I'm not associated with it). Here is how I managed to forward print event:
- download windows installer (msi) from https://nxlog.co/products/nxlog-community-edition/download
- I selected the open source community version (they seems to have enterprise version which is paid)
- add/append this lines to C:\Program Files\nxlog\conf\nxlog.conf
<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
Host 192.168.100.200
Port 514
Exec to_syslog_bsd();
</Output>
<Route 1>
Path eventlog => tcp
</Route>
- validate the configuration by running this in elevated command prompt
"C:\Program Files\nxlog\nxlog.exe" -v
- open
services.msc, selectnxlogservice, then stop and start it again
Here is an example of one captured event:
$ cat user.info.User32.log
2022年05月18日T15:00:10+07:00 MYPC User32[780]: The process Explorer.EXE has initiated the power off of computer MYPC on behalf of user MYPC\USER for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: power off Comment: #015
2022年05月18日T15:00:12+07:00 MYPC User32[680]: The process C:\WINDOWS\system32\winlogon.exe (MYPC) has initiated the power off of computer MYPC on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: power off Comment: #015