Windows Servers

Observe supports ingesting log data from Windows servers, including event logs and application logs on the filesystem. Observe recommends Fluent Bit as the forwarder.

Install Fluent Bit on the Windows System

Install the Fluent Bit forwarder.

Update the Fluent Bit configuration file (C:/opt/td-agent/etc/td-agent/td-agent.conf) to add the following sources:

####
## Source descriptions:
##
##
##  Filesystem logs
##
<source>
  @type tail
  @id input_tail
  tag fslog.#{Socket.gethostname}
  path C:/logs/observe.log
  pos_file /var/log/td-agent/tmp/observe.log.pos
  path_key tailed_path
  <parse>
    @type regexp
    expression /^(?<message>.*)$/
  </parse>
</source>
##
##  Windows event logs
##
<source>
  @type windows_eventlog
  @id windows_eventlog
  tag winevent.#{Socket.gethostname}
  channels application,system,security
  <storage>
    @type local
    persistent true
    path /var/log/td-agent/tmp/winevt.pos
  </storage>
</source>