To export logs events from Windows machines/servers, we use a third party software called "Nxlog".
A. Types of Windows
...
events
Windows servers have two type of logsevents:
Type 1: Windows Native
...
Events
Type 2: Windows based Application
...
Events
...
Type 1: Windows Native
...
Events -
For these, we can use both the Event collection options methods - B.Method 1 or B.Method 2 below, to collect the events. Example - OS Logsevents, Audit events(Enable Audit Logs) and USB Logs.
...
Driver Framework events like USB events, CD Drive events etc.(How to Enable Driver Framework events from windows).
Type 2: Windows based Application
...
events -
For Application logs events, we have to use Event collection option- B.1Method 1 of event collection, which is to run nxlog agent on the server to read the logs from specific location and export to CCEs. Example: MSSQL, DNS , DHCP, IIS, MsExchange and SMTP.
B.Methods of Event Collection from Windows -
There are two methods of event collection from Windows servers, depending on the type of logs events the server generates:
- Nxlog Agent configured on the same server
- Nxlog Agent configured on a collector setup
Both the methods are described as below:
...
Method 1: Nxlog Agent configured on the same server:
In this case, the Nxlog configuration is done on the same server from which the logs events are forwarded. In case of nxlog configuration from:
...
- Application logs events from MSSQL: Please use the instructions as in the link below:
Configuring logs from Windows MSSQL server
- Application logs events from DNS: Please use the instructions as in the link below:
Configuring DHCP logs from DHCP server using Nxlogs
- Application logs events from DHCP: Please use the instructions as in the link below:
Configure Logs from Windows DNS server
- Application logs events from IIS: Please use the instructions as in the link below:
Configuring logs from Windows IIS server
- Application logs events from MS Exchange - Please use the instructions as in the link below:
Nxlog configuration for MS Exchange server
- Application logs events from SMTP- Please use the instructions as in the link below:
...
Note: In certain scenario if Partnerpartner/customer can mount application logs events location to collector or any other centralized location then we can use both Event collection option.
...
Method 2: Windows Collector (Windows Event Subscriptions with Nxlog configured on Collector setup)
This method requires three steps as below:
Step 1.Collector Machine Setup- Setup the Windows Collector:
Windows Collector machine will be one small VM, with configurations as below:
- Compute Power: Windows 2012 Server- 2 Ghz or faster.
- Minimum Memory DRAM: 2 GB
- Minimum Disk: 40 GB
- Network Interface: 1 GigE
2.SubscriptionStep 2- Create subscriptions on Windows Collector:
Once the collector VM Windows Collector is up and running, subscriptions can be added to it for all the windows machines in the same domain we have to get the logs forwarded from. For subscriptions, please refer to the instructions as in the link:
Event collection at windows collector computer
3. Event forwarding from source Step 3- Forward events from Source computers to the Windows Collector:
To enable the events to be forwarded from the remote computers to the collector computers, the steps that needs to be performed are as in the link:
Event forwarding from Source Windows Computers
4.Step 4- Forward events from Windows Collector to CCE using Nxlog Configuration:
Once the events are forwarded from the remote computers to the collector computer. We need to configure Nxlog on the collector computer to in turn forward the collected events to our CCE. To configure the same, please refer to:
...