Windows Event Log collection and monitoring

Easily collect, manage, and archive Windows Event Logs from your Windows servers.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

Log Monitoring

Log Troubleshooting

Log Filtering

Demonstrate Compliance

Log Management

Windows Event Log monitoring

Together with SNMP traps and syslog messages, Windows Event Logs provide extremely valuable insights into your infrastructure running on Windows systems. As Windows operating systems don’t support syslog protocol, Windows Event Logs are crucial for network and system administrators to get similar information about Windows devices to help diagnose and detect possible issues. SolarWinds^® Kiwi Syslog^® is a simple standalone syslog server designed to centralize not only syslog messages and SNMP traps from your network devices, but Windows Event Logs from your servers and workstations and simplify your log management and network troubleshooting.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

Use Windows Event Log for faster troubleshooting

Network Troubleshooting Kiwi Syslog Server 2 Features Array Item - features item image

Similar to syslog messages, Windows Event Log data provides essential data to keep your network up and running. It helps detect important issues such as error messages, network connection problems or unsuccessful attempts to log on, and so on. Without this information, you might miss early signals of an emerging issue, which could result in a network failure or expose your network to a security risk. The Kiwi Syslog Server NG software allows you to centralize Windows Event Logs from your Windows servers or workstations and notify you about an emerging issue in almost real time.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

React to Windows Event Logs with rules and actions

As your devices can produce thousands of logs per hour, it’s important to have a good filtration system in place for monitoring Windows Event Logs. Kiwi Syslog Server offers extensive filtering capabilities designed to help you to filter out “noise”—event logs that aren’t relevant for your efficient network operation. You can set up filters based on Windows Event Log type, source, or keyword and specify rules and actions to react according to the situation—notify selected people through an email alert, forward the message to another host (such as your SIEM system), or run an external script. With such a system in place, network and system administrators can make sure they detect a possible issue and its root cause fast and can troubleshoot the problem before it impacts the normal operation of their network.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

Demonstrate compliance through Windows Event Log retention

Apart from troubleshooting, Windows Event Log collection and retention is an important measure for security and compliance. Various compliance frameworks such as SOX, HIPPA, PCI, and others require log retention from your network devices, including Windows Event Logs. The Kiwi Syslog Server NG software offers automated log archival and cleanup options you can leverage for Windows Event Log retention to help you easily meet the expectations of your security team and demonstrate compliance with regulatory guidelines.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

Centralize your log management in one place

Centralized log collection is the key to effective log management. Your network devices, such as routers, switches, firewalls, or servers, generate logs all the time, and it’s impossible to stay on top of them on a system-by-system basis. Kiwi Syslog Server NG centralizes logs from your network devices, including syslog messages and SNMP traps from Linux, UNIX, and Windows systems, in a single console. From there, you can manage the logs according to your needs—use different views to search and view logs, set up filters and alerts, or forward selected messages to a different monitoring solution while storing your logs for audit purposes. Kiwi Syslog Server NG is a web-based application, so you can easily view and search your logs from anywhere.

Download Free Trial Email Link to Trial

Fully functional for 14 days

Learn More

Get More on Windows Event Log Collection and Monitoring

Do you find yourself asking…

How does Kiwi Syslog Server NG collect Windows event logs?
What are the different types of Windows event logs?
How do "event log analysis" and "correlation" differ?
How does Kiwi Syslog Server NG assist in correlating Windows event logs to detect security threats?
How can you automate the archiving of Windows event logs?

To start collecting and processing Windows events in Kiwi Syslog Server NG, use the free SolarWinds^® Event Log Forwarder for Windows utility. You can easily configure your Windows servers or workstations to send Windows event logs from this tool to Kiwi Syslog Server NG in a compatible syslog format, allowing you to leverage the extensive filtering capabilities, rules, and actions in Kiwi Syslog Server NG.

Here's a typical process for setting up a correlation rule:

Pinpoint the Key Events: Determine which event IDs or log messages signal important issues for your environment (for example, critical services shutting down, repeated failed logins, or account lockouts)
Build the Filter: Using the Kiwi Syslog Server NG console, set up a filter to capture only relevant logs—you can filter by priority, IP address, host name, message text, time of day, flags or counters, input source, and regular expressions
Set the Action: This step defines the correlation rule; based on the filtered logs, choose an action such as sending an alert (notifying your team via email), logging to a file or database (storing the filtered information elsewhere for long-term retention or SIEM use), or running a script (automatically launching an external program or script to trigger a response, such as blocking a suspicious IP or disabling a compromised account)—to see the full list of actions, visit SolarWinds Documentation

This approach enables you to create an "If X, then Y" response plan for every critical situation in your environment.

Because Windows doesn't natively support syslog, the initial step involves using our free companion tool, Event Log Forwarder for Windows, which serves as a translator. This tool allows you to select specific events—for example, critical security events such as failed login attempts—and forwards this detailed event data to the Kiwi Syslog Server NG. This process enables you to consolidate all your system and security logs in a single, central location.

Once your Windows log files are being collected centrally, automating your archiving is simple thanks to the built-in scheduler. This feature helps you comply with log retention policies, ensuring you retain the historical data needed for cybersecurity audits without overloading your active storage. Here's how to use the Kiwi Syslog Server NG integrated scheduler to automate log archiving:

Define the Task: Begin by creating a new schedule in the Kiwi Syslog Server NG setup utility, and set the task type to Archive, specifying your objective to the system
Set the Trigger: For full automation, choose the frequency under the "On a schedule" trigger—such as nightly or weekly runs; you can also set the process to trigger when the service starts or stops
Select the Source and Criteria: Direct the task to the folder where Kiwi Syslog Server saves your raw Windows logs, and filter which files to archive, usually by setting a file age such as "at least 90 days old," so only older logs are archived while recent ones remain easily accessible; this process is far more efficient than checking the eventvwr
Identify the Destination and Format: Specify where Kiwi Syslog Server should move or copy the archived data; you can choose options such as zipping files for compression or encrypting zip files for enhanced security, which is ideal for protecting sensitive logs and meeting compliance requirements—the server supports logging to files, disks, or ODBC-compliant databases

By automating this process, you avoid sifting through the default Windows Event Viewer and can focus on responding to important alerts, allowing you to excel at troubleshooting.

To start collecting and processing Windows events in Kiwi Syslog Server NG, use the free SolarWinds^® Event Log Forwarder for Windows utility. You can easily configure your Windows servers or workstations to send Windows event logs from this tool to Kiwi Syslog Server NG in a compatible syslog format, allowing you to leverage the extensive filtering capabilities, rules, and actions in Kiwi Syslog Server NG.

Here's a typical process for setting up a correlation rule:

Pinpoint the Key Events: Determine which event IDs or log messages signal important issues for your environment (for example, critical services shutting down, repeated failed logins, or account lockouts)

Build the Filter: Using the Kiwi Syslog Server NG console, set up a filter to capture only relevant logs—you can filter by priority, IP address, host name, message text, time of day, flags or counters, input source, and regular expressions

Set the Action: This step defines the correlation rule; based on the filtered logs, choose an action such as sending an alert (notifying your team via email), logging to a file or database (storing the filtered information elsewhere for long-term retention or SIEM use), or running a script (automatically launching an external program or script to trigger a response, such as blocking a suspicious IP or disabling a compromised account)—to see the full list of actions, visit SolarWinds Documentation

This approach enables you to create an "If X, then Y" response plan for every critical situation in your environment.
These terms are often used interchangeably, but they represent different aspects of log management.

Analysis: This involves examining an individual event log entry for specific information, focusing on details such as the event ID, severity, timestamp, and source—it's a thorough look at a single piece of data; for example, when you encounter a failed logon event (Event ID 4625), you analyze it to determine the user, the machine involved, and the time it occurred

Correlation: This is more insightful, as it involves linking information from several logs that may come from different sources or times; for instance, if you notice three failed logon attempts on a server followed shortly by a successful login from another IP address, that sequence suggests more than isolated incidents—it could indicate a brute-force attack, and correlation allows you to aggregate these events and uncover patterns that wouldn't be obvious from a single log entry, which is key to improving observability
Discovering a hidden security threat amid the everyday flood of log entries is where correlation truly shines.

Kiwi Syslog Server NG supports you by:

Centralizing and Standardizing Data: Gathering Windows event logs from all your servers and workstations (using the free Event Log Forwarder for Windows tool) and converting them into a consistent format, allowing for immediate searching and comparison of all system logs and application logs (which are part of server event logs)

Eliminating Unnecessary Data: Allowing you to build robust rules based on event type, source, or keywords to filter out less important logs, such as the countless successful audit entries, providing a smaller, more relevant set of data to review; you can also create custom views to display only the most critical information
Because Windows doesn't natively support syslog, the initial step involves using our free companion tool, Event Log Forwarder for Windows, which serves as a translator. This tool allows you to select specific events—for example, critical security events such as failed login attempts—and forwards this detailed event data to the Kiwi Syslog Server NG. This process enables you to consolidate all your system and security logs in a single, central location.

Once your Windows log files are being collected centrally, automating your archiving is simple thanks to the built-in scheduler. This feature helps you comply with log retention policies, ensuring you retain the historical data needed for cybersecurity audits without overloading your active storage. Here's how to use the Kiwi Syslog Server NG integrated scheduler to automate log archiving:

Define the Task: Begin by creating a new schedule in the Kiwi Syslog Server NG setup utility, and set the task type to Archive, specifying your objective to the system

Set the Trigger: For full automation, choose the frequency under the "On a schedule" trigger—such as nightly or weekly runs; you can also set the process to trigger when the service starts or stops

Select the Source and Criteria: Direct the task to the folder where Kiwi Syslog Server saves your raw Windows logs, and filter which files to archive, usually by setting a file age such as "at least 90 days old," so only older logs are archived while recent ones remain easily accessible; this process is far more efficient than checking the eventvwr

Identify the Destination and Format: Specify where Kiwi Syslog Server should move or copy the archived data; you can choose options such as zipping files for compression or encrypting zip files for enhanced security, which is ideal for protecting sensitive logs and meeting compliance requirements—the server supports logging to files, disks, or ODBC-compliant databases

By automating this process, you avoid sifting through the default Windows Event Viewer and can focus on responding to important alerts, allowing you to excel at troubleshooting.