documentationWindows Servers¶
Observe supports ingesting log data from Windows servers, including event logs and application logs on the filesystem. Observe recommends Fluentd as the forwarder.
Install Fluentd on the Windows System¶
Install the fluentd forwarder.
Update the fluentd configuration file (C:/opt/td-agent/etc/td-agent/td-agent.conf) to add the following sources:
####
## Source descriptions:
##
##
## Filesystem logs
##
<source>
@type tail
@id input_tail
tag fslog.#{Socket.gethostname}
path C:/logs/observe.log
pos_file /var/log/td-agent/tmp/observe.log.pos
path_key tailed_path
<parse>
@type regexp
expression /^(?<message>.*)$/
</parse>
</source>
##
## Windows event logs
##
<source>
@type windows_eventlog
@id windows_eventlog
tag winevent.#{Socket.gethostname}
channels application,system,security
<storage>
@type local
persistent true
path /var/log/td-agent/tmp/winevt.pos
</storage>
</source>