The Graylog blog

Forwarding Windows Events to CLM

Sending Windows Logs to CLM

Looking at your IT environment, you probably have various machines and applications connected to your networks. From network devices to servers to laptops, you need to know what’s happening at all times. While your log data provides the monitoring information you need, your environment’s diversity makes aggregating and correlating this information challenging. If your company invested in Windows devices, then your struggle is even more real because Microsoft uses proprietary format.


Forwarding Windows events to a syslog server enables you to gain value from your machine generated data.

Why collect Windows events?

Windows event logs provide information about various activities occurring across networks, devices, applications, and cloud-based resources. Every event record lists the event type and properties, including:

  • Computer
  • EventCategory
  • EventData
  • EventID
  • EventLevel
  • EventLevelName
  • EventLog
  • ParameterXml
  • ManagementGroupName
  • RenderedDescription
  • Source
  • SourceSystem
  • TimeGenerated
  • UserName


By transforming and aggregating this data in a centralized location, you can use various and visualizations that provide visibility into:

  • Application installations
  • System setup operations
  • Security issues
  • Problems and errors

What is the difference between Syslog and event log?

Syslog is a protocol for formatting log messages, typically associated with Linux / Unix operating systems, Firewalls and Network Infrastructure. Windows event logs are a Microsoft-developed format that provides similar.


A Windows event log uses the following format:

  • Header: represented by ELF_LOGFILE_HEADER structure
  • Event records: represented by EVENTLOGRECORD structures
  • End-of-file: represented by ELF_EOF_RECORD structure


Meanwhile, a Syslog follows this format:

  • Header
  • Structured data
  • Message

Comparing the two formats, the same information would look like this:


Does Windows have syslog?

Since Windows event logs use a Microsoft owned and defined format, they do not have a native Syslog format. Although Windows provides the Event Viewer so that you can review Windows event logs.  There are third party Syslog endpoint log shippers. These can be used to send Windows logs to a Syslog Server.


Can you export Windows event logs?

All Windows Event Logs use the EVT/EVTX format so you can export all items that your Windows XML EventView Log contains. You can use this process to passively monitor system and application logs for a small number of devices, like servers. However, as your environment scales, this time-consuming manual process becomes overwhelming.

Depending on how you want to use the event logs, exporting them can create problems like:

  • Lack of data fidelity: Event logs information can be lost when translating them into binary records.
  • Inefficient search: Using spreadsheets makes it difficult to find what you need.
  • Lack of real-time visibility: Download the information then searching or importing it elsewhere increases outage or business interruption times.

Collecting and aggregating all Windows event logs

Typically used for monitoring security issues, Windows Event Forwarding (WEF) can read any operational or administrative event log from your environment’s devices then forward them to a Windows Event Collector (WEC) server. Microsoft refers to the automated collection and forwarding as “subscriptions.”


WEF offers two different subscription options:

  • Baseline: Collects events from all hosts, including some role-specific ones
  • Targeted: Collects events from a smaller set of hosts because you want to monitor for unusual activity or have greater awareness for the systems


The Eventlog-forwardingPlugin/Operational collects and forwards success, warning, and error events related to the subscription.


WEF offers two different formats:

  • Rendered text: default format that doubles or triples the event size because it includes description as seen in Event Viewer
  • Events: Event XML sent in compact binary format


Microsoft offers three primary event delivery options:

  • Normal: Balances bandwidth use and delivery timing wit pull deliver mode that batches 5 items at a time and sets batch timeout at 15 minutes
  • Minimize bandwidth: Limits network connectivity with push delivery mode that sets a batch timeout of 6 hours and uses a heartbeat interval of 6 hours
  • Minimize latency: Focuses on minimal delivery delay with push delivery mode and batch timeout of 30 seconds


How to collect Windows events on any system

Windows event logs can be sent into Syslog and collect all the data in a Syslog server so they can achieve levels of observability and visibility. Syslog servers are a centralized location for collecting and storing all messages so that you can view and filter them in meaningful ways. Since Syslog can contain more information than Windows event logs, it’s inefficient to translate in this direction.


If you need analytics to correlate and analyze high volumes of data, you may want to use a centralized log management solution that enables you to:

  • Login using the internet
  • Configure alerts
  • Set up responses
  • Scheduling reports

If you want to collect your Windows events using a third-party forwarder that translates them into something other than Syslog, here are a few options.

NXLog Community Edition

The NXLog community edition is an open-source log collector that has Microsoft Windows and GNU/Linux packages. NXLog will ship logs in GELF format to a Graylog GELF input.


You can choose to forward your Syslog data to your chosen database or  using:

  • UDP
  • TCP



Winlogbeat reads Windows event log data using the Windows APIs, shipping it to OpenSearch so that you can store and search your data. Winlogbeat monitors application, security, and system logs by default, but you can configure it to monitor whatever events you need to capture events like:

  • Application events
  • Hardware events
  • Security events
  • System events


Graylog: Centralized Log Management for Windows Event Logs

Graylog’s centralized log management solution enables you to aggregate, correlate, and analyze all your log data in a single location. With Graylog Extended Log Format (GELF) inputs and BEATS inputs, you have a standardized format across Windows log types

Graylog supports Winlogbeat to ingest Windows event logs directly into our BEATS input, or you can use the NXLog community edition that reads Windows event logs and forwards them in GELF.

Using Graylog Sidecar, you can implement multiple configurations per collector and centrally manage their configurations through the Graylog interface. Graylog Cloud accepts inputs from the Graylog Forwarder so that you can collect the same kind of logs from different parts of your infrastructure or maintain a more redundant setup.

By combining the purpose-built modern log analytics of Graylog Operations with Graylog Security’s analytics, you get the intuitive user interface of centralized log management with the power of Security event Information Management (SIEM) tool.

To get an overview of Graylog, including a 20-minute in-depth demo and 10-minute Q&A session, contact us today.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.