Microsoft Windows has a service that maintains local logs and events called EventLog. The EventLog acts as a local repository of all the logs produced by the system itself, including the operating system and its various services.
Collecting and forwarding data from Windows systems requires an agent that can:
- Collect logs and events from Windows EventLog
- Collect logs and events placed in local files and folders by applications
- Foward real-time syslog-compatible data to an external system
Once such agent is nxLog. You can download nxLog and its documentation at http://nxlog.org/products/nxlog-community-edition/download.
Below is a sample config that grabs Windows Event Logs and two application log files, then sends them over UDP to Unomaly.
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log SuppressRepeatingLogs FALSE <Extension syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog </Input> <Input logfile> InputType LineBased Module im_file File 'C:\Path\To\file.log' PollInterval 10 DirCheckInterval 10 CloseWhenIdle TRUE </Input> <Output uout> Module om_udp Host unomaly_host Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path eventlog, logfile => uout </Route>
Did this article help you?
Thank you for the feedback!