The rocket-fast system for log processing

Using RSyslog Windows Agent to forward log files

in this article we describe how to use the RSyslog Windows Agent to forward log messages that are stored in plain text files. The article itself will be made of two larger steps. Both steps contain some substeps which will be shown in detail in one of the smaller articles. We assume, that no basic configuration is currently available.

This time, we want to use textfiles as log sources. Many programs for Windows do not use the EventLog system. They use simple and plain text files to store their log messages. Though, the information that is logged there could be as important as EventLogs.

Basically, the configuration of RSyslog Windows Agent consists of 3 parts.

1. A so-called service which generates the log data to be processed by, for example, a file monitor.

2. Rules with Filters. Filters give you the power to decide which log messages are important enough to be kept or not.

3. The action that has to be taken. In our case, forwarding the syslog messages.

Step 1: Setting up the ruleset and action.

Usually we start by creating the ruleset, rule and action. The reason lies in the configuration structure. So we will first create the mentioned items. In the end, we will have a basic rule with no particular filter and a forward via syslog action. That means, that all messages will be forwarded to a central host.

Click here to see the steps.

Step 2: Setting up the service.

Now we will set up the service. We need to create a File Monitor Service. The File Monitor Service is able to monitor a file or a directory with files. It will check the specified file(s) periodically for new lines (which would be new log messages) and use them for further processing.

File Monitor Steps

That’s it, you are already finished. Easy wasn’t it? Now you should be able to poll log files and forward the log messages to your central syslog server.