Windows Event Forwarding to Linux server using Nxlog Introduction Windows Event Forwarding (WEF) allows the collection of event logs from multiple Windows machines and their forwarding to a centralized server. Using Nxlog, you can send these logs to a Linux server for storage and analysis. This documentation provides a step-by-step guide to set up Windows Event Forwarding using Nxlog to send logs to a Linux server. Prerequisites Windows Server or Workstation : The machine that will send logs. Linux Server : The machine that will receive logs. Nxlog : Download the latest version of Nxlog for Windows from Nxlog's official website . Network Connectivity : Ensure both machines can communicate over the network. Rsyslog: Download the latest version of Rsyslog for Linux server or workstation. Installing Nxlog on Windows Download Nxlog : Obtain the Nxlog Community Edition installer from the official website. Install Nxlog : Run the installer and follow the prompts to complete the installation. Start Nxlog Service : Start the Nxlog service using the Services management console or command line: net start nxlog Configuring Nxlog on Windows Open Configuration File : Edit the Nxlog configuration file located at C:\Program Files\nxlog\conf\nxlog.conf . Configure File : Add the following lines to capture Windows Event Logs and send the logs : # Input Module     Module im_msvistalog     ReadFromLast True           # Output Module     Module om_udp     Host 192.168.20.24     Port 514     # Exec $raw_event = "<" + $syslog_severity + ">" + $time + " " + $hostname + " " + $procname + ": " + $raw_event;      Exec parse_syslog_ietf(); # Route     Path eventlog => out # Include any other necessary modules/extensions     Module      xm_syslog   Installing Rsyslog on Linux Install Rsyslog : For Ubuntu, run: sudo apt update sudo apt install rsyslog Enable Rsyslog : Ensure Rsyslog is enabled and started: sudo systemctl enable rsyslog sudo systemctl start rsyslog Configuring Rsyslog on Linux Open Configuration File : Edit /etc/rsyslog.conf or create a new config file in /etc/rsyslog.d/. Configure Rsyslog to Listen for UDP : module(load="imudp") # Load UDP listener input(type="imudp" port="514") Define Output File : Specify where to store the incoming logs: *.* /var/log/windows_events.log Save and Exit : Save the configuration file and restart Rsyslog: sudo systemctl restart rsyslog Firewall Configuration Windows Firewall Open Windows Defender Firewall : Go to Control Panel > System and Security > Windows Defender Firewall . Allow Port 514 : In the left pane, click Advanced settings . Select Inbound Rules and click on New Rule . Choose Port , then click Next . Select UDP and enter 514  in the Specific local ports field. Allow the connection and complete the rule setup. Firewalld Configuration on Linux Open Port 514 for UDP : sudo firewall-cmd --permanent --add-port=514/udp Reload Firewalld : sudo firewall-cmd --reload Verify Open Ports : sudo firewall-cmd --list-all Verifying Event Forwarding Check Nxlog Status on Windows : nxlog -v Monitor Logs on Linux : Use the following command to view the log file: tail -f /var/log/windows_events.log Review Rsyslog Logs : If issues arise, check Rsyslog logs located at /var/log/syslog or /var/log/messages.