documentationWindows Servers¶
Observe supports ingesting log data from Windows servers, including event logs and application logs on the filesystem. Observe recommends Fluent Bit as the forwarder.
Install Fluent Bit on the Windows System¶
Install the Fluent Bit forwarder.
Update the Fluent Bit configuration file (C:/opt/td-agent/etc/td-agent/td-agent.conf) to add the following sources:
####
## Source descriptions:
##
##
## Filesystem logs
##
<source>
@type tail
@id input_tail
tag fslog.#{Socket.gethostname}
path C:/logs/observe.log
pos_file /var/log/td-agent/tmp/observe.log.pos
path_key tailed_path
<parse>
@type regexp
expression /^(?<message>.*)$/
</parse>
</source>
##
## Windows event logs
##
<source>
@type windows_eventlog
@id windows_eventlog
tag winevent.#{Socket.gethostname}
channels application,system,security
<storage>
@type local
persistent true
path /var/log/td-agent/tmp/winevt.pos
</storage>
</source>