Skip to main content

The Syslog Server for Windows

Centralize, filter, forward and archive syslog messages from every device on your network — on the Windows server you already run.

Syslog Watcher is the actively-developed Windows syslog server trusted by 23,000+ sysadmins in 89 countries. Set up in five minutes. Meet PCI, HIPAA, SOX and GDPR retention requirements. Slash your SIEM ingest bill by filtering at the source.

Download Free 30-Day Trial See Pricing
  • Windows 7–11
  • Windows Server 2012–2025
  • Full features for 30 days
Screenshot of Syslog Watcher Manager running on Windows. Server status panel shows Enterprise License with 250 originators and 5,000,000 messages/hour, 309,127 messages received on UDP/514, 0% buffer utilization, Storage Writer active, and File Forwarder mirroring 378,648 messages to a file share.
23,000+
Sysadmins
89
Countries
19
Years on market
24
Resellers worldwide

Used by teams at organizations including:

All logos, trademarks, and registered trademarks are the property of their respective owners.

Built for Windows sysadmins, top to bottom

Everything you need to centralize syslog without standing up a Linux box, a Docker host, or a cloud bill.

High-performance receiver

Multithreaded UDP, TCP and TLS receivers backed by a SQLite-tuned store: 35,000+ writes/sec and 250,000+ reads/sec — plenty of headroom for production traffic.

Filter at the source

Granular rule engine to drop, route, transform or alert on messages before they hit your SIEM. Pay only for the logs you keep.

Forward to any SIEM

Splunk, Sentinel, Elastic, Graylog, QRadar, Datadog — over UDP, TCP, TLS. One Windows server, all your destinations.

Compliance-ready archive

Encrypted-at-rest archive with retention policies for PCI DSS, HIPAA, SOX and GDPR.

Alerts & reports

Trigger email alerts on complex filter rules using patterns, severity levels, originators, and message fields. Built-in syslog reports for analysis and audits.

Lightning-fast search

Indexed full-text search across millions of messages to find a needle in 90 days of logs.

Works with everything you already run

If it speaks syslog, Syslog Watcher receives it. Out of the box.

Network gear

Cisco · Fortinet · Palo Alto · SonicWall · Meraki · Ubiquiti · MikroTik · Sophos · Juniper · Aruba · Extreme

Servers & endpoints

Linux syslog/journald · Windows Event Log · ESXi · VMware vCenter · Proxmox · TrueNAS · Synology · QNAP

Forwards to

Splunk · Microsoft Sentinel · Elastic / ELK · Graylog · Datadog · Sumo Logic · QRadar · Generic UDP / TCP / TLS

Runs on

Windows 7, 8, 10, 11 · Windows Server 2012, 2016, 2019, 2022, 2025 · Bare-metal, VM, or cloud Windows instance

Why teams switch to Syslog Watcher

A snapshot of how Syslog Watcher compares to common alternatives.

Capability Syslog Watcher Free / Legacy Alternatives Cloud SIEM (per-GB ingest)
Built for WindowsYesVariesCloud-only
Active developmentYes — 19 years & countingLimitedYes
Modern UIYesDatedYes
Filter before forwardingGranular rule engineBasicAfter ingest (you pay first)
Syslog over TLSYesLimitedYes
PCI / HIPAA / SOX / GDPR archiveEncryptedNoYes (at cloud price)
Alerts & reportsBuilt inBasicYes
Licensing modelPerpetual with 1, 3 or 5-yr MaintenanceFree, but you build itPer-GB ingest pricing
Data stays on your networkYesYesNo

Straightforward pricing

Perpetual license plus your choice of 1, 3 or 5 years of maintenance (updates & technical support). No subscription. 30-day money-back guarantee.

Professional

USD245+ 1 yr maintenance

For small IT teams and single-admin shops.

  • 50 syslog originators
  • 500,000 messages / hour
  • All features (TLS, archive, SIEM forwarding)
  • 1 year of updates & technical support
  • SKU: SW-PRO-1
Buy Professional Buy with 3 yr maintenance → Buy with 5 yr maintenance →
Most popular

Enterprise

USD385+ 1 yr maintenance

For mid-sized environments and growing MSPs.

  • 250 syslog originators
  • 5,000,000 messages / hour
  • All features (TLS, archive, SIEM forwarding)
  • 1 year of updates & technical support
  • SKU: SW-ENT-1
Buy Enterprise Buy with 3 yr maintenance → Buy with 5 yr maintenance →

Ultimate

USD585+ 1 yr maintenance

For large environments and datacenters.

  • Unlimited syslog originators
  • Unlimited messages / hour
  • All features (TLS, archive, SIEM forwarding)
  • 1 year of updates & technical support
  • SKU: SW-ULT-1
Buy Ultimate Buy with 3 yr maintenance → Buy with 5 yr maintenance →

Multi-year maintenance is discounted: Professional 3 yr $495 / 5 yr $735  ·  Enterprise 3 yr $775 / 5 yr $1,155  ·  Ultimate 3 yr $1,175 / 5 yr $1,755.

30-day money-back guarantee. Non-profit, volume and MSP pricing on request — email sales@ezfive.com. Secure checkout by PayPro Global.

What customers say

Syslog Watcher is a great product and it's a pleasure to work with a company that is so responsive.

Peter
Aerospace Engineering Firm

The support I received for my question was really EXCELLENT… period! I was also impressed by the quality of the service provided.

Roger O.
Nestlé

It works beautifully, perfect for what I'm using it for. Uncluttered and well laid out, took me almost no time to figure out how to set up & use.

Francis
Tech Cafe

Common questions

The trial is the full-featured product — no feature gates, no source limits, no credit card. Install it on any supported Windows host and start collecting syslog from your devices immediately. If you decide to buy after the trial, every paid license also comes with a 30-day money-back guarantee, so the total risk-free evaluation window is up to 60 days.

Three tiers, sold as a perpetual license plus 1, 3 or 5 years of maintenance (updates & support):
  • Professional — $245 (1 yr maintenance) · 50 syslog originators · 500,000 messages/hour
  • Enterprise — $385 (1 yr maintenance) · 250 originators · 5,000,000 messages/hour
  • Ultimate — $585 (1 yr maintenance) · unlimited originators · unlimited messages/hour
Multi-year maintenance is discounted (e.g. Professional 5 yr = $735). Non-profit, volume and MSP pricing is available — email sales@ezfive.com. Payments are processed securely through PayPro Global.

Perpetual. You buy the license once and keep using it indefinitely. The maintenance window (1, 3 or 5 years) gives you free version upgrades and technical support; after it expires, the product keeps running on the last version you installed. You can renew or extend maintenance at any time by emailing sales@ezfive.com.

A syslog originator is any device or service that sends messages to Syslog Watcher — a firewall, switch, router, server, ESXi host, access point or appliance. One device equals one originator regardless of how many messages it produces. Count your active originators, add headroom for growth, and pick the closest tier. You can upgrade later without losing collected data.

Windows Server: 2012, 2016, 2019, 2022, 2025.
Windows client: 7, 8, 10, 11.
Runs equally well on bare metal, a Hyper-V / VMware / Proxmox virtual machine, or a cloud Windows instance on AWS, Azure or GCP.

All of the standards your devices speak:
  • Syslog over UDP — RFC 5426
  • Reliable syslog over TCP — RFC 6587
  • Secure syslog over TLS — RFC 5425
  • BSD format (RFC 3164) and modern IETF format (RFC 5424)
  • CEF (Common Event Format) for SIEM interoperability
  • UTF-8 and non-ASCII encodings, IPv4 and IPv6, unlimited listening addresses
Vendor-specific message formats are handled by customizable regex parsers and Knowledge Base files.

Yes — to any combination, simultaneously. Forward via UDP, TCP or TLS to as many destinations as you need. Apply filters so each SIEM only receives the subset of messages it actually needs — the easiest way to cut a per-GB SIEM ingest bill. You can also export to SQL/NoSQL databases via ODBC, or to CSV, XML and JSON files for analytics pipelines.

Yes — centralized logging for compliance is a primary use case. Syslog Watcher provides a tamper-resistant syslog archive that is compressed, optionally encrypted, with daily incremental sync. Compression typically stores 10× more messages in the same disk space. Combined with TLS-encrypted collection (RFC 5425) and configurable retention policies, this satisfies the centralized-logging controls in PCI DSS, HIPAA, SOX, GDPR and CCPA.

Storage is built on the SQLite engine, tuned for syslog workloads: 35,000+ writes/sec and 250,000+ sequential reads/sec. Maximum storage size is limited only by your disk. You can cap storage by size or by retention period (days), and messages are pre-indexed by originator and severity so search stays fast even with millions of records.

About five minutes. Download the installer, run it on your Windows host, and point your devices at the Syslog Watcher server on UDP 514 (or TLS 6514). Most teams have a working setup — including a compliance archive — within an hour. The step-by-step install guide walks through a typical deployment.

Your data stays on your Windows server. Syslog Watcher is on-premises software — collected logs never leave your network unless you explicitly configure forwarding or a cloud archive destination. The local SQLite storage lives on the disk you choose; the optional encrypted archive can be on a local disk, a network share, or cloud storage.

Support: email support@ezfive.com, open a ticket at support.ezfive.com, or consult the full User Guide. Technical support is included with active maintenance.

Try Syslog Watcher free for 30 days

Full features. No credit card. Installs in five minutes on Windows 7–11 or Server 2012–2025.

Download Free Trial Talk to sales

Trusted by 23,000+ sysadmins in 89 countries · 19 years on the market