Logging from Windows Server systems

Use the IBM® Log Analysis service to monitor and manage logs from Windows server systems.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

You will use NXLog to add your Windows logs into IBM Log Analysis.

To configure NXLog, you must enable a port to send logs via syslog to your logging instance. If you are using (a) the classic syslog protocol, (b) a custom port in syslog-ng, or (c) a custom port in rsyslog, there is no authentication available and anyone with knowledge of the endpoint can submit logs to your instance. As a result, depending on your environment, your use of the classic syslog protocol or custom port configurations with syslog-ng or rsyslog may present a significant security risk. Use these configurations at your organization's own risk. Validate with your compliance and security teams whether this security risk is acceptable to your organization.

Before you begin

Before you begin, make sure you have an IBM Log Analysis instance configured.

Make sure you have an ID with the proper permissions

Use a user ID that is a member or an owner of an IBM Cloud account. To get an IBM Cloud user ID, go to: Registration.

Your IBMID must have assigned IAM policies for each of the following resources. For example, to work in the US-south region and in the default resource group, you need the following permissions:

Table 1. List of IAM policies
Resource	Scope of the access policy	Role	Region	Information
Resource group Default	Resource group	Viewer	us-south	This policy is required to allow the user to see service instances in the Default resource group.
IBM Log Analysis service	Resource group	Editor	us-south	This policy is required to allow the user to provision and administer the IBM Log Analysis service in the Default resource group.

Provision an IBM Log Analysis instance

To provision a service instance of IBM Log Analysis through the IBM Cloud console, see Provisioning an instance.

Install NXLog

Follow these steps to install NXLog.

You will need to run as a Windows Administrator for all command prompt or PowerShell steps.

The Chocolately package manager is used to install NXLog. Run one of the following if you do not have the package manager already installed.

From a Windows command prompt (cmd.exe):

powershell -command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"

From a PowerShell prompt:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

Run the following command in PowerShell to install NXLog Community Edition.
```
choco install -y nxlog
```

Configure NXLog

Provision a syslog port for NXLog.

To get the required port value, do the following:
1. Access the IBM Log Analysis UI.
2. Click the to access install instructions.
3. Click NXLog.
4. The syslog port you need to provision in Windows will be displayed. For example, syslog-a.us-south.logging.cloud.ibm.com:63980.
Then, in Windows, do the following:
1. From the Control Panel access System and Security > Windows Defender Firewall.
2. Click Advanced settings.
3. Click Inbound Rules.
4. Click New Rule.
5. Select Port.
6. Click Next.
7. For Specific local ports: enter 63980.
8. Click Next.
9. Select Allow the connection.
10. Click Next.
11. Select where the rule should apply.
12. Click Next.
13. Name the rule. For example, syslog-a.us-south.logging.cloud.ibm.com:63980.
14. Click Finish.
Create your nxlog.conf file.
1. Get the provided nxlog.conf file:
  1. Access the IBM Log Analysis UI.
  2. Click the to access install instructions.
  3. Click NXLog.
  4. Click Download the file to download a copy of the provided nxlog.conf file.
2. Customize the nxlog.conf to meet your needs.
  - The <Input eventlog> section specifies the logging channels to be captured. To enable a logging channel, uncomment the desired lines. To disable a logging channel, comment out those lines.
  - LOGFOLDER specifies the folder to stream logs from. Check that the File '%LOGFOLDER%\\*.log' value is correct for your system as well.
  - Input, processor, and output channels are connected in the <Route> block. Comment out this block to remove the route and disable logging from this channel. Add new input modules with unique names to enable logging from new sources.
3. Copy the nxlog.conf file as <NXLOGDIR>\conf\nxlog.conf where <NXLOGDIR> is the directory where you installed NXLog. For example, C:\Program Files (x86)\nxlog\
Download the LogDNA SSL Certificate Authority file. This can be done in one of the following ways.
- Run the following PowerShell script where <NXLOGDIR> is the directory where you installed NXLog.
```
$url = "https://assets.us-south.logging.cloud.ibm.com/rootca/ld-root-ca.crt"
$output = "<NXLOGDIR>\cert\ca.pem"
(New-Object System.Net.WebClient).DownloadFile($url, $output)
```
- Use the link in the installation information to download and install the Root CA Certificate.
  1. Access the IBM Log Analysis UI.
  2. Click the to access install instructions.
  3. Click NXLog.
  4. Click Download Root CA Certificate to download a copy of the certificate.
  5. Copy the certificate to <NXLOGDIR>\cert\ca.pem, where <NXLOGDIR> is directory nxlog is installed.

Run NXLog

Run the following in PowerShell from the directory where you installed NXLog.

.\nxlog.exe

Run the following in PowerShell from the directory where you installed NXLog to stop the service.

.\nxlog.exe --stop