Windows Events log to SigNoz
Overview
If you are using a Windows environment, you can stream Windows Event Log to SigNoz using OpenTelemetry Collector.
Monitoring specific Event Log sources, known as Channels, can be done using the Windows Event Log receiver which is configured in the OpenTelemetry Collector configuration file.
Key channels typically monitored include:
- Application: Logs events related to applications running on the system.
- Security: Records security-related events such as login attempts and resource access.
- System: Captures events related to system components, drivers, and services.
Prerequisites
- SigNoz cloud account
- Microsoft User account with permissions to access EventLog and Services
Setup
Step 1: Install OpenTelemetry Collector
The OpenTelemetry collector provides a vendor-neutral way to collect, process, and export your telemetry data such as logs, metrics, and traces.
You can install OpenTelemetry collector as an agent on your Virtual Machine by following this documentation.
Step 2: Add windowseventlog receiver
Configure windowseventlog receiver
Modify the config.yaml file created in the previous step to include the windowseventlog receiver in the receiver section. The below codeblock shows how you can add the receiver to get the windows application and system logs.
receivers:
windowseventlog/application:
channel: application
windowseventlog/system:
channel: system
There are more configuration options available here
Update pipelines configuration
In the same config.yaml file, update the pipelines section to include the windowseventlog/application and windowseventlog/system receivers under logs.
service:
pipelines:
....
logs:
receivers: [windowseventlog/application, windowseventlog/system]
processors: [batch]
exporters: [otlp]
If there are no errors, your Event logs will be visible in SigNoz under the Logs Tab.
Output
This is what the typical output will look like with the configurations we made above:
Application Log
{
"body": "{\"channel\":\"Application\",\"computer\":\"logs-windows\",\"event_data\":{},
\"event_id\":{\"id\":16384,\"qualifiers\":16384},\"keywords\":[\"Classic\"],\"level\":\"Information\",
\"message\":\"Successfully scheduled Software Protection service for re-start at 2024-08-10T18:52:44Z.
Reason: RulesEngine.\",\"opcode\":\"0\",\"provider\":{\"event_source\":\"Software Protection Platform
Service\",\"guid\":\"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}\",\"name\":\"Microsoft-Windows-Security-SPP\"},
\"record_id\":750,\"system_time\":\"2024-08-03T19:29:44.9757970Z\",\"task\":\"0\"}",
"id": "2k2Ud5JPPt8hVRQpgF6gXTxl1Yd",
"timestamp": "2024-08-03T19:29:44.975797Z",
"attributes": {},
"resources": {},
"severity_text": "INFO",
"severity_number": 9,
"span_id": "",
"trace_flags": 0,
"trace_id": ""
}
System Log
{
"body": "{\"channel\":\"System\",\"computer\":\"logs-windows\",
\"event_data\":{\"param1\":\"Background Intelligent Transfer Service\",
\"param2\":\"auto start\",\"param3\":\"demand start\",\"param4\":\"BITS\"},\"event_id\":{\"id\":7040,
\"qualifiers\":16384},\"keywords\":[\"Classic\"],\"level\":\"Information\",
\"message\":\"The start type of the Background Intelligent Transfer Service service was changed from
auto start to demand start.\",\"opcode\":\"0\",\"provider\":{\"event_source\":\"Service Control Manager\",
\"guid\":\"{555908d1-a6d7-4695-8e1e-26931d2012f4}\",\"name\":\"Service Control Manager\"},
\"record_id\":893,\"system_time\":\"2024-08-03T19:32:41.9476831Z\",\"task\":\"0\"}",
"id": "2k2Ud5JPPt8hVRQpgF6gXTxl1Yf",
"timestamp": "2024-08-03T19:32:41.9476831Z",
"attributes": {},
"resources": {},
"severity_text": "INFO",
"severity_number": 9,
"span_id": "",
"trace_flags": 0,
"trace_id": ""
}
