IBM Cloud Docs
Configuring the Logging agent to collect the Windows event log

Configuring the Logging agent to collect the Windows event log

A commonly used input plug-in on Windows systems is the Windows Event Log input plug-in which gathers events from specific channels. To congifure the Logging agent to read, gather, and forward events from this source using the current API from winevt.h, complete the following steps:

Configure the Input plugin

  1. Edit the input plug-in configuration file input-windows-event-log.conf in C:\Program Files\logs-agent\etc if one was created during the configuration step. If no file exists, create the input-windows-event-log.conf file.

  2. Create a new INPUT section.

    Set the Channels with the channels you want to read events from.

    Set the Tag with an identifier that can help with parsing.

    [INPUT]
        Name         winevtlog
        Tag          winevtlog.*
        Channels     Application,Setup,Windows PowerShell
    
  3. Save the configuration file.

Modify the fluentbit configuration

Modify the C:\Program Files\logs-agent\etc\fluent-bit.conf file to include the reference to the C:\Program Files\logs-agent\etc\input-windows-event-log.conf.

@INCLUDE C:\Program Files\logs-agent\etc\input-windows-event-log.conf

The main configuration file C:\Program Files\logs-agent\etc\fluent-bit.conf imports other files with the tag @INCLUDE <path_to_file>.

Restart the agent

Restart the agent to apply the changes.

sc.exe stop fluent-bit && sc.exe start fluent-bit

Verify logs are being delivered to your target destination

Complete the following steps:

  1. Go to the web UI for your IBM Cloud Logs instance..

  2. When your agent is correctly configured, you can see logs through the default dashboard view.