3

I'm trying to remotely access windows log files from linux. So far I've found two different approaches.

  1. Install syslog server on windows machine and let windows send log files to linux, read those files
  2. Remotely access log files with wmi implementation for linux.

Does anyone know about limitations for those two approaches before I dive into implementation?

Improve this question

3 Answers 3

Reset to default
2

My gut feeling is that your second route will be the more easy to follow. The first route involves touching two different systems, each one with its own quirks:

  • install+setup remote syslog server on Linux;
  • make Windows send the logs to remote syslog server;
  • also setup the syslog reading on Linux

This approach seems to create more "points of failure" (imagine a network problem blocking Windows from logging its events to the remote syslog).

The first route would require only installing a wmi client for Linux. I'd recommend wbemcli. (On Debian/Ubuntu try apt-get install wbemcli.) With this, Windows logging (which in my experience is rock-solid) remains unchanged. Even if you have temporary network problems, your access to un-compromised logs will return after the network came back to full operation.

As you may know, WMI is just Microsoft's implementation of WBEM (Web-based Enterprise Management). WBEM in turn is an industry standard defined by the Distributed Management Task Force consortium.

There are some differences in MS's WMI from the WBEM standard (as it's mostly the case when MS says they 'implement a standard'). For example, it uses a different transport protocol than stock WBEM (WBEM typically uses HTTP over TCP/5988 or HTTPS over TCP/5989. WMI also uses slightly different namespaces. Otherwise, they are mostly identical.

Improve this answer
3
  • Great answer! Are there any obstacles with WMI/WBEM approach, like need to setup additional stuff on each windows machine. For instance, additional rights, additional firewall rules etc? With WMI I can access only Event Logs, not for instance Exchange logs right?
    – damir
    Commented Aug 11, 2010 at 13:16
  • @damir: Sorry, I don't know the answer to your 'Exchange logs' question. I never had to deal with Exchange.
    – Kurt Pfeifle
    Commented Aug 11, 2010 at 15:00
  • An example wbemcli command would be nice.
    – mivk
    Commented Dec 10, 2020 at 15:52
1

I can't comment on those two but I know a third: Install a small server on Windows which can read the log and which responds to queries or pushes new events to Linux. I used Python with the win32 module for tasks like this.

Improve this answer
3
  • Thats additional overhead for administration, if nothing else proves reliable i will use your method
    – damir
    Commented Aug 11, 2010 at 9:37
  • @Aaron Digulla, is there any documentation on how to do this? Rather than polling or querying, I'd like my Linux machine to just listen for Windows login events from a domain controller, so this approach sounds more suitable. Thanks.
    – Nagev
    Commented Nov 16, 2017 at 10:56
  • @Nagev You need to read up on the Windows APIs to access the event log. There are examples for this: stackoverflow.com/questions/11219213/… Next, you need to write a service which allows you to read this from a Linux client. A simple REST based service will work (there are tons of examples how to do REST with Python, just google). Just make sure you use some form of encryption for sensitive data (use https:// to access the REST server).
    – Aaron Digulla
    Commented Nov 28, 2017 at 12:54
0

Yes.. you need git-bash for windows, a ssh server (I would recommend bitvise sshd, no personal connections, but its very stable and well-tested).

Once you have done that, you need to put git-bash on windows path.. then you can use

ssh [email protected] 'bash -c "tail -n 20 -F /c/Users/username/Desktop/logging_file.log"'

More details here: https://stackoverflow.com/a/50936183/4752883

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .