Syslog ... 20 Years Later
Greg looks at a "new" feature in Vista and Server 2008: Event Log subscription.
- By Greg Shields
These days everything old seems suddenly new again. A prime example of that adage is the "new" Event Log subscription feature in Windows Vista and Windows Server 2008.
Twenty years ago, computer programmer Eric Allman was working on sendmail and developed the Syslog protocol to transfer Unix log data across the network to a central repository for aggregation, archival and cross-device analysis. With Vista and Server 2008, Windows now has a form of Syslog baked right into the operating system. It's only about twenty years behind schedule, if you're counting.
The idea is that some problems occur on multiple machines, so you may need to analyze log data from more than one computer for troubleshooting. If you consolidate events from each machine into a single log and sort it by time stamp, you'll get a better idea of what's going on. This type of analysis helps when you can't track down the precise nature of the problem.
For example, let's say you're having a problem between a Vista client and a machine running Windows Server 2008. Both systems are pumping data to their respective System Event logs, but you're having trouble aligning what's happening on each machine. In this case, you'll need to create a subscription on the server to inject system log data from the client into the server's system log.
Setting up a subscription isn't difficult. First, launch the Event Log and click the node for "Subscriptions" on the server. You'll be asked to start the Windows Event Collector Service and configure its start mode to Automatic. This service handles collecting Event Logs from your remote machines.
In our example, the Vista client is the "forwarder computer." The
forwarder computer forwards events to the "collector computer," which
is our Server 2008 box. Both machines must be running the Windows Remote Management
(WinRM) service and the server has to be running the Windows Event Collector
Service. To start and automatically configure this service, enter the following
at the command prompt on each computer: winrm quickconfig.
[Click on image for larger view.]
|Figure 1. A
configured and active subscription pulls data from a client machine.
Windows Remote Management is an interesting new tool for remote management that we'll cover in a future column. We're using it here to complete an initial basic configuration. That configuration starts the service and sets its startup mode to Automatic (Delayed Start), punches a hole in the Windows Firewall and creates a WinRM listener on HTTP://* to accept remote management requests to any IP on the machine.
By default, subscriptions use computer accounts for permissioning, though you can substitute a user account. The benefit of using computer accounts means that you don't need to create old-style service accounts to handle subscriptions. However, you do have to manually drop the computer account of the subscriber computer into the Administrators group on the forwarder computer. You can use Active Directory groups to do this.
Once you've finished these steps, you can create a subscription. Subscription data can flow in either direction depending on how you set it up. You always start by creating a subscription at the subscriber computer. Identify the source computers from which it will pull data. From the Subscriptions node in the Event Log, right-click and choose to "Create Subscription." Give the subscription a name and a description. Then choose the destination log where you want to store the incoming data.
In our example, we want System log data from another machine to merge with our server's System log. To do this, change the default destination log from the "Forwarded Events" log to the System log. In this example, though, we're merging logs for a short time to help troubleshoot a problem.
The Forwarded Events log is well suited as a permanent repository for multiple machines to store their log data for later archival, as well. Storing security log data for compliance purposes is an excellent example of this type of use.
Once you've configured the destination log, select your source computers and the types of events you need to collect. Here's where the real power of the "new" Windows Event Log becomes evident. When selecting events, you can choose your events at a granular level-even down to specific event IDs or keywords. This helps reduce the amount of data you'll need to analyze later.
Subscriptions come in three flavors. These depend on the type of problem you're attempting to track down, the quality of your network's bandwidth and the speed at which you want the log data to arrive. The closer to real time you want the log data, the more network resources it will require to gather:
- "Normal mode" configures the target computer to pull event information from the source computer five items at a time, with a batch timeout of 15 minutes.
- "Minimize bandwidth" reverses the direction of the delivery, pushing the data from source to destination. This is helpful if bandwidth is an issue. The influx of log data at the destination is slowed with the batch timeout and the heartbeat interval increases to six hours.
- "Minimize latency" mode works well for gathering real-time or near real-time data. This also uses push mode, but significantly dials up the timeout to every 30 seconds.
You complete this last selection by clicking the "Advanced" button. Once you've completed the selection and configuration process, test the connectivity and start the connection. If you see an Active connection status, you've set it up properly -- you'll soon start seeing log data arriving in the destination log.
Whether you're setting up subscriptions for short-term troubleshooting or
consolidating security logs for long-term compliance, this "old" functionality
is something you'll appreciate just as much as when it was new.
(10/30/2008: This article contains a correction; Eric Allman developed Syslog. -- MDo)
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.