Ship Windows logs

• Winlogbeat
• NXLog

Configure Winlogbeat

Before you begin, you’ll need: Winlogbeat 8, Winlogbeat 7, or Winlogbeat 6.

Download the Logz.io public certificate

Download the Logz.io public certificate to C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt on your machine.

Configure Windows input

If you’re working with the default configuration file, (C:\Program Files\Winlogbeat\winlogbeat.yml) clear the content and start with a fresh file.

Paste this code block.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

fields:
  logzio_codec: json
  token: <<LOG-SHIPPING-TOKEN>>
  type: wineventlog
fields_under_root: true

If you’re running Winlogbeat 7 or 8, paste this code block. Otherwise, you can leave it out.

# ... For Winlogbeat 7 and 8 only ...
processors:
  - rename:
      fields:
      - from: "agent"
        to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
      - from: "log.file.path"
        to: "source"
      ignore_missing: true
  - rename:
      fields:
      - from: "log"
        to: "log_information"
      ignore_missing: true

Set Logz.io as the output

If Logz.io isn’t the output, set it now.

Winlogbeat can have one output only, so remove any other output entries.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']

Restart Winlogbeat

Open PowerShell as an admin and run this command:

Restart-Service winlogbeat

If you’re starting Winlogbeat, and haven’t configured it as a service yet, refer to Winlogbeat documentation.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your logs, see log shipping troubleshooting.

Configure NXLog

Before you begin, you’ll need: NXLog

Configure NXLog basics

Copy this code into your configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf by default).

define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
</Extension>

For information on parsing multi-line messages, see this from NXLog.

Add Windows as an input

Add an Input block to append your account token to log records.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

<Input eventlog>

# For Windows Vista/2008 and later, set Module to `im_msvistalog`. For
#  Windows XP/2000/2003, set to `im_mseventlog`.
    Module im_msvistalog

    Exec if $raw_event =~ /^#/ drop();
    Exec convert_fields("AUTO", "utf-8");
    Exec    $raw_event = '[<<LOG-SHIPPING-TOKEN>>][type=wineventlog]' + $raw_event;
</Input>

Set Logz.io as the output

Add the Logz.io listener in the Output block.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

<Output out>
    Module  om_tcp
    Host    <<LISTENER-HOST>>
    Port    8010
</Output>
<Route 1>
    Path eventlog => out
</Route>

Restart NXLog

Open PowerShell as an admin and run this command:

Restart-Service nxlog

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.