Configuring remote syslog from Windows

Recommended logger: Nxlog

To send log files and event logs from all Windows variants, we recommend nxlog.

Installation

Basic Configuration

Post install:

Encrypted Logging using TCP+TLS (optional)

    <Output syslogout>
       Module om_ssl
       Host <host>.papertrailapp.com
       Port YOUR_PORT
       CAFile %CERTDIR%/papertrail-bundle.pem
       AllowUntrusted FALSE
    </Output>

Alternative: Eventlog-to-Syslog

In case nxlog will not run on your machine, Eventlog-to-Syslog can be installed and configured using the instructions below.

1. Download

Download evtsys-64bit.zip or evtsys32bit.zip from Google Code. As of this writing, the current version is 4.5.1.

Download the regular build, not the Large Packet build. As noted here, the Large Packet build changes the maximum packet size from 1500 bytes to 4096 bytes. The largest packet (MTU) on the Internet is 1500 bytes, so the regular build is required.

2. Install

Extract the .zip file. Copy the 2 extracted files to C:\Windows\System32 (or your system’s equivalent directory).

3. Run

Start a DOS Prompt as a local administrator: Start -> right-click on DOS Prompt -> “Run as Administrator.”

Navigate to C:\Windows\System32.

Run evtsys.exe to install the service, providing the destination host and port from Papertrail’s Add Systems page. For example:

evtsys.exe -i -h logsN.papertrailapp.com -p XXXXX

Change the logsN and XXXXX arguments to match your Papertrail log destination.

This will start the eventlog to syslog relay. Subsequent Windows events should appear in Papertrail within 5 seconds.

Here are the full arguments and the readme. To uninstall the service, run with -u, like:

evtsys.exe -u -h logsN.papertrailapp.com -p XXXXX

Change the logsN and XXXXX arguments to match your Papertrail log destination.

In addition to the Services control panel, the service can be controlled with:

net start evtsys
net stop evtsys