Microsoft Windows has a service that maintains local logs and events called EventLog. The EventLog acts as a local repository of all the logs produced by the system itself, including the operating system and its various services.
Collecting and forwarding data from Windows systems requires an agent that can:
- Collect logs and events from Windows EventLog
- Collect logs and events placed in local files and folders by applications
- Foward real-time syslog-compatible data to an external system
You can download NXLog and its documentation at: http://nxlog.org/products/nxlog-community-edition/download
Below is a sample config that grabs Windows EventLogs and two application log files, then sends them over UDP to Unomaly.
define ROOT C:\Program Files (x86)\nxlog
Path eventlog, logfile => uout
You can configure NXLog to support log files containing log lines that span multiple lines. For example, you can add the following snippet to nxlog.conf:
# Discard everything that doesn't seem to be an xml event
Exec if $raw_event !~ /^<event>/ drop();