Logging from Windows Server systems
Use the IBM® Log Analysis service to monitor and manage logs from Windows server systems.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
You will use NXLog to add your Windows logs into IBM Log Analysis.
To configure NXLog, you must enable a port to send logs via syslog to your logging instance. If you are using (a) the classic syslog protocol, (b) a custom port in syslog-ng
, or (c) a custom port in rsyslog
, there is
no authentication available and anyone with knowledge of the endpoint can submit logs to your instance. As a result, depending on your environment, your use of the classic syslog protocol or custom port configurations with syslog-ng
or rsyslog
may present a significant security risk. Use these configurations at your organization's own risk. Validate with your compliance and security teams whether this security risk is acceptable to your organization.
NXLog is used to provide log files to IBM® Log Analysis.
By default, NXLog monitors log files in the C:\\ProgramData\\logs
directory.
On the IBM Cloud, configure an Windows server to forward logs to an IBM Log Analysis instance by completing the following steps:
- Provision an instance of the IBM Log Analysis service.
- Configure NXLog on the Windows server.
- Optionally, add additional directories to be monitored by the agent.
In this tutorial, you will learn how to configure a Windows server to forward logs to an IBM Log Analysis instance.
This tutorial assumes you have an existing Windows server. See Logging with Windows VPC server instances for a tutorial on configuring with a VPC.
Before you begin
Before you begin, make sure you have an IBM Log Analysis instance configured.
Make sure you have an ID with the proper permissions
Use a user ID that is a member or an owner of an IBM Cloud account. To get an IBM Cloud user ID, go to: Registration.
Your IBMID must have assigned IAM policies for each of the following resources. For example, to work in the US-south region and in the default resource group, you need the following permissions:
Resource | Scope of the access policy | Role | Region | Information |
---|---|---|---|---|
Resource group Default | Resource group | Viewer | us-south | This policy is required to allow the user to see service instances in the Default resource group. |
IBM Log Analysis service | Resource group | Editor | us-south | This policy is required to allow the user to provision and administer the IBM Log Analysis service in the Default resource group. |
Provision an IBM Log Analysis instance
To provision a service instance of IBM Log Analysis through the IBM Cloud console, see Provisioning an instance.
Install NXLog
Follow these steps to install NXLog.
You will need to run as a Windows Administrator for all command prompt or PowerShell steps.
-
The Chocolately package manager is used to install NXLog. Run one of the following if you do not have the package manager already installed.
From a Windows command prompt (
cmd.exe
):powershell -command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
From a PowerShell prompt:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
-
Run the following command in PowerShell to install NXLog Community Edition.
choco install -y nxlog
Configure NXLog
-
Provision a syslog port for NXLog.
To get the required port value, do the following:
- Access the IBM Log Analysis UI.
- Click the question mark icon to access the installation instructions.
- Click NXLog.
- The syslog port you need to provision in Windows will be displayed. For example,
syslog-a.us-south.logging.cloud.ibm.com:63980
.
Then, in Windows, do the following:
- From the Control Panel access System and Security > Windows Defender Firewall.
- Click Advanced settings.
- Click Inbound Rules.
- Click New Rule.
- Select Port.
- Click Next.
- For Specific local ports: enter
63980
. - Click Next.
- Select Allow the connection.
- Click Next.
- Select where the rule should apply.
- Click Next.
- Name the rule. For example,
syslog-a.us-south.logging.cloud.ibm.com:63980
. - Click Finish.
-
Create your
nxlog.conf
file.-
Get the provided
nxlog.conf
file:- Access the IBM Log Analysis UI.
- Click the question mark icon to access the installation instructions.
- Click NXLog.
- Click Download the file to download a copy of the provided
nxlog.conf
file.
-
Customize the
nxlog.conf
to meet your needs.-
The
<Input eventlog>
section specifies the logging channels to be captured. To enable a logging channel, uncomment the desired lines. To disable a logging channel, comment out those lines. -
LOGFOLDER
specifies the folder to stream logs from. Check that theFile '%LOGFOLDER%\\*.log'
value is correct for your system as well. -
Input, processor, and output channels are connected in the
<Route>
block. Comment out this block to remove the route and disable logging from this channel. Add new input modules with unique names to enable logging from new sources.
-
-
Copy the
nxlog.conf
file as<NXLOGDIR>\conf\nxlog.conf
where<NXLOGDIR>
is the directory where you installed NXLog. For example,C:\Program Files (x86)\nxlog\
-
-
Download the LogDNA SSL Certificate Authority file. This can be done in one of the following ways.
-
Run the following PowerShell script where
<NXLOGDIR>
is the directory where you installed NXLog.$url = "https://assets.us-south.logging.cloud.ibm.com/rootca/ld-root-ca.crt" $output = "<NXLOGDIR>\cert\ca.pem" (New-Object System.Net.WebClient).DownloadFile($url, $output)
-
Use the link in the installation information to download and install the Root CA Certificate.
- Access the IBM Log Analysis UI.
- Click the question mark icon to access the installation instructions.
- Click NXLog.
- Click Download Root CA Certificate to download a copy of the certificate.
- Copy the certificate to
<NXLOGDIR>\cert\ca.pem
, where<NXLOGDIR>
is directory nxlog is installed.
-
Run NXLog
Run the following in PowerShell from the directory where you installed NXLog.
.\nxlog.exe
Run the following in PowerShell from the directory where you installed NXLog to stop the service.
.\nxlog.exe --stop