access windows log files from linux
Solution 1
My gut feeling is that your second route will be the more easy to follow. The first route involves touching two different systems, each one with its own quirks:
- install+setup remote syslog server on Linux;
- make Windows send the logs to remote syslog server;
- also setup the syslog reading on Linux
This approach seems to create more "points of failure" (imagine a network problem blocking Windows from logging its events to the remote syslog).
The first route would require only installing a wmi client for Linux. I'd recommend wbemcli. (On Debian/Ubuntu try apt-get install wbemcli.) With this, Windows logging (which in my experience is rock-solid) remains unchanged. Even if you have temporary network problems, your access to un-compromised logs will return after the network came back to full operation.
As you may know, WMI is just Microsoft's implementation of WBEM (Web-based Enterprise Management). WBEM in turn is an industry standard defined by the Distributed Management Task Force consortium.
There are some differences in MS's WMI from the WBEM standard (as it's mostly the case when MS says they 'implement a standard'). For example, it uses a different transport protocol than stock WBEM (WBEM typically uses HTTP over TCP/5988 or HTTPS over TCP/5989. WMI also uses slightly different namespaces. Otherwise, they are mostly identical.
Solution 2
I can't comment on those two but I know a third: Install a small server on Windows which can read the log and which responds to queries or pushes new events to Linux. I used Python with the win32 module for tasks like this.
Related videos on Youtube
02 : 49
12 : 03
01 : 08
05 : 00
01 : 40
damir
Ex 10+ years sysadmin, working for company and doing more and more management and less development (SIEM, network provisioning, billing, integrations) for other telcos.
Updated on September 17, 2022Comments
-
damir almost 2 years
I'm trying to remotely access windows log files from linux. So far I've found two different approaches.
- Install syslog server on windows machine and let windows send log files to linux, read those files
- Remotely access log files with wmi implementation for linux.
Does anyone know about limitations for those two approaches before I dive into implementation?
-
damir almost 14 yearsThats additional overhead for administration, if nothing else proves reliable i will use your method
-
Kurt Pfeifle almost 14 years@damir: Sorry, I don't know the answer to your 'Exchange logs' question. I never had to deal with Exchange.
-
Nagev over 6 years@Aaron Digulla, is there any documentation on how to do this? Rather than polling or querying, I'd like my Linux machine to just listen for Windows login events from a domain controller, so this approach sounds more suitable. Thanks.
-
dingzhihu over 6 years@Nagev You need to read up on the Windows APIs to access the event log. There are examples for this: stackoverflow.com/questions/11219213/… Next, you need to write a service which allows you to read this from a Linux client. A simple REST based service will work (there are tons of examples how to do REST with Python, just google). Just make sure you use some form of encryption for sensitive data (use https:// to access the REST server).
-
mivk over 3 yearsAn example wbemcli command would be nice.
