Syslog to Event Log

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Network Services > Syslog Daemon >

Syslog to Event Log

To log Syslog packets to the event log, click the "Syslog to Event Log" tab and check the "Log to the APPLICATION Event Log" check box. You will also be able to configure the severity mappings, since the Syslog protocol defines 8 instead of just 3 severities.


EventSentry will log all messages to the application event log with event ID 500 and event source EventSentry Network Services.


Severity Mapping

Since EventSentry logs Syslog messages to the Windows event log, you will need to specify how the Syslog error levels correspond to the Windows event log error levels.


Unix Syslog defines eight severity levels:


EMERG Emergency


CRIT Critical

ERR Error






The Windows event log defines only three severities (SUCCESS is not mentioned since it is basically equal to INFORMATION):





Ignore (does not log message to the event log)





To prevent a certain error level (e.g. debug) from being written to the Windows event log specify Ignore in the corresponding Windows column. This will drop all packets from the specified error level without logging them to the event log.



By default, no incoming Syslog messages will be logged to the event log. Click the + icon to add strings that will trigger event log alerts (see below for filtering syntax and examples). Wildcards * and ? are supported.


Include: Log all messages to the event log, except for exclusions below

This setting will log all Syslog messages to the event log. Syslog messages containing strings that are listed below will not be logged to the event log.


Exclude: Only log messages to the database that are included below

This is the default setting, and will log Syslog messages to the event log that match the strings listed below. This allows you to only write Syslog messages to the event log that match your filters.



Syslog message filters are compared to the following Syslog format:


hostname[facility.severity]: content

ipaddress[facility.severity]: content


hostname: The host name of the remote host, if the remote IP address as was able to be resolved to a host name

ipaddress: The IP address of the remote host, if the host name could not be resolved with a reverse lookup

facility: The Syslog facility, e.g. auth, cron, kern, etc.

severity: The Syslog severity, e.g. emerg, alert, crit, etc.

content: The actual content of the Syslog message


Examples:[kern.crit]: Invalid login from[cron.notice]: /USR/SBIN/CRON[26051]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

ubuntu-box[authpriv.notice]: sudo: root : TTY=unknown ; PWD=/ ; USER=administrator ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/use_http_proxy


Example Filters

Match all "info" severities from hosts that start with "firewall": firewall*[*.info]*

Match all messages that contain "": **

Match all messages from facility "local7" with severity "notice": *[local7.notice]*

Match all messages from hosts from the subnet: 192.1.1.*