SL4NT, a good Syslog daemon for Windows

Syslog is a standard for logging messages from an operating system by urgency (priority) and program source (facility) and a free form string of information. Its very common on unix/linux, but not so common on Windows. Microsoft has no such native service provider. There are a lot of things that don't run windows and its nice to be able to "listen" to them when monitoring or debugging. SL4NT is a venerable daemon with Control Panel or Microsoft Management Console consoles for starting, stopping and configuring a native Windows Service that provides the Syslog feature on many versions of Windows. Its available as Freeware or Full support Commercial software with price breaks for volume and site licenses.

The Freeware version called 0.3 covers only the basics but is quite useful.

It comes as two binaries:

SNL3NT.CPL - the control panel applet
SNL4NT.EXE - the service installer and remover

The Full service version comes with a Microsoft Management Console plug-in and an InstallShield installer. There is a 60 day trial period after which you need to consider purchasing a singular/volume or site license.

It is somewhat feature rich, and will work on anything from NT up through Windows 7 (that I have tested) and reportedly through Windows 2012R2. (you should apply the Service Pak for SL4NT to run on Windows Vista, Windows 7, 2008, 2012 or 2012R2 - otherwise the MMC will be unable to start and stop the service, its a manual affair - stop the daemon manually and copy the patch files over the installed files in the install bin directory).

You create Actions in the Action Tab of the Properties editor, reached by right clicking on a server in the MMC Console.

Then edit Rules in the Rules Tab to (filter) Syslog messages and apply Actions to them.

other Tabs allow you to:
  • specify the LOG format
  • specify which ports and protocol types (udp/tcp) to listen on
  • specify SMTP server settings to perform notification Actions
  • specify Viewer options to host a Telnet service on a port that allows selecting a stream of incoming Syslog messages - basically you telnet to a designated port, then use a cmdline language to choose a port to "listen" to and start seeing syslog messages scroll by in your Telnet session. (this can be used by Windows clients or Unix/Linux clients)
  • specify Other - Event log capture options for Syslog priority messages
An optional CLSyslog - command line called clstest.exe can be downloaded separately and run from a CMD prompt to connect to a Syslog server and test the service. Usage instructions are provided when insufficent arguments are provided.

The CLSyslog tool is actually part of a larger free "kit" for adding Syslog capabilities to your Windows applications and programs in as minimal and simplistic a way as possible. It comes with a simple header file, two very small dynamic libraries (.dll's) and C source code for the CLSyslog test program.

The author appears to come from Austria and the licensing options are automated through an online commerce group.

The organization and presentation of the suite is quite good. The help documents finely tuned and accurate. The english language descriptions and cues unbelievably good.

I believe the package has been around for more than 20 years and has been kept up to date. It is one hundred percent "by the book" with regards to Microsoft User Interface guidelines.

Some may see the name [SL4NT] somewhat old and the user interface time honored or even dated, but familarity breeds confidence and reliability. Experience brings stability and makes the programs a joy to use.

I can't think of any thing other than the familar "spreadsheet" browser interface tacked on too many "filter viewers" for digging through logs.. which I think should really be honed as a separate tool rather than jammed into the same one dedicated to providing a service.

Its also notable that as an MMC the same tool can reach out and manage multiple Syslog servers across your network, for redundancy, or to spread the log collecting load across more machines. Ethernet still has its limitations bandwidth wise and occassionally spreading the load leads to a more accurate logging cluster.

One thing I found "unintuitive" was that to use the live Viewer in a telnet window. You needed to declare an Action on the Action Tab, then add that Action to a Rule on the Rule Tab which "filters" Syslog messages and decides which Rules to apply. Syslog messages can be pushed or forwarded to both a Viewer "channel" and a Log at the same time. Once I did this, I telnet'd into the service port over TCP and used the command +#<channel number> or +#1 to connect my Telnet "Viewer" to the Live View channel and used the command line CLSyslog program to send my localhost a priority message from a facility with a test string of text. -- I should mention the Viewer "presentation" of the Syslog fields is also customizable, so as many or as few of the available fields can be monitored in a Viewer channel as desired. This screenshot is merely the default for a Viewer channel.

And do not forget to "disable" or otherwise modify your Windows Firewall to allow communications with port UDP 514. If you configure your Syslog clients to send their messages to your Windows desktop or server. This cost me a bit of time since I was successful using the CLSyslog command testing from the Windows machine running SL4NT and I forgot the Windows firewall will deny access to traffic from the outside and discard it silently.  -- Since Syslog uses UDP by default its considered "best effort" and lost traffic is not reported as unsuccessful on the client end.

Usually if all is configured correctly the client will forward some sort of Cold Start or Warm Start message when rebooted. -- Also remember the LOG format for file logs and Viewer channel presentation is independently "customizable" and not all Syslog fields will be shown in each default format.. you can tailor it however you wish.