Configuring remote syslog from Windows

Recommended logger: Nxlog

To send log files and event logs from all Windows variants, we recommend nxlog.


Basic Configuration

Post install:

Encrypted Logging using TCP+TLS (optional)

    <Output syslogout>
       Module om_ssl
       Host <host>
       Port YOUR_PORT
       CAFile %CERTDIR%/papertrail-bundle.pem
       AllowUntrusted FALSE

Alternative: Eventlog-to-Syslog

In case nxlog will not run on your machine, Eventlog-to-Syslog can be installed and configured using the instructions below.

1. Download

Download or from Google Code. As of this writing, the current version is 4.5.1.

Download the regular build, not the Large Packet build. As noted here, the Large Packet build changes the maximum packet size from 1500 bytes to 4096 bytes. The largest packet (MTU) on the Internet is 1500 bytes, so the regular build is required.

2. Install

Extract the .zip file. Copy the 2 extracted files to C:\Windows\System32 (or your system’s equivalent directory).

3. Run

Start a DOS Prompt as a local administrator: Start -> right-click on DOS Prompt -> “Run as Administrator.”

Navigate to C:\Windows\System32.

Run evtsys.exe to install the service, providing the destination host and port from Papertrail’s Add Systems page. For example:

evtsys.exe -i -h <host> -p <port>

Change the host and port arguments to match your Papertrail account.

This will start the eventlog to syslog relay. Subsequent Windows events should appear in Papertrail within 5 seconds.

Here are the full arguments and the readme. To uninstall the service, run with -u, like:

evtsys.exe -u -h <host> -p <port>

Change the host and port arguments to match your Papertrail account.

In addition to the Services control panel, the service can be controlled with:

net start evtsys
net stop evtsys