Configuring the Logging agent to collect the Windows event log
A commonly used input plug-in on Windows systems is the Windows Event Log input plug-in which gathers events from specific channels. To congifure the Logging agent to read, gather, and forward events from this source using the current API from
winevt.h
, complete the following steps:
Configure the Input plugin
-
Edit the input plug-in configuration file
input-windows-event-log.conf
inC:\Program Files\logs-agent\etc
if one was created during the configuration step. If no file exists, create theinput-windows-event-log.conf
file. -
Create a new INPUT section.
Set the Channels with the channels you want to read events from.
Set the Tag with an identifier that can help with parsing.
[INPUT] Name winevtlog Tag winevtlog.* Channels Application,Setup,Windows PowerShell
-
Save the configuration file.
Modify the fluentbit configuration
Modify the C:\Program Files\logs-agent\etc\fluent-bit.conf
file to include the reference to the C:\Program Files\logs-agent\etc\input-windows-event-log.conf
.
@INCLUDE C:\Program Files\logs-agent\etc\input-windows-event-log.conf
The main configuration file C:\Program Files\logs-agent\etc\fluent-bit.conf
imports other files with the tag @INCLUDE <path_to_file>
.
Restart the agent
Restart the agent to apply the changes.
sc.exe stop fluent-bit && sc.exe start fluent-bit
Verify logs are being delivered to your target destination
Complete the following steps:
-
When your agent is correctly configured, you can see logs through the default dashboard view.