Collecting Windows Event logs with OpenTelemetry
You can collect logs from Windows-based operating systems and send them to Instana by using the OpenTelemetry (OTEL) Collector. Instana can receive OTEL logs through different mechanisms. For more information, see Configuring OpenTelemetry data ingestion.
Types of Windows Event logs
The Windows Event Log Receiver receiver collects logs from Windows Event log API, which include the following:
-
Windows logs
- Application
- Security
- Setup
- System
- Forwarded events
-
Applications and services logs
Both administrator and normal users can import Windows event logs.
Collecting Windows Event logs
You must configure the OpenTelemetry Collector to collect the Windows event logs and sends them to Instana for monitoring and analysis.
Configuring the OTEL collector for Windows logs
Download the otelcol-contrib
executable binary file from the Windows releases according to your Windows server configuration. The OTEL Collector Contrib
package includes community-driven open source features that are necessary to collect and send logs to Instana. Configure the OTEL Collector to collect Windows event log data by using the windowseventlog
receiver and forward
the log data to the Instana agent's OTLP Endpoint. To configure the OTEL Collector, use the following example as a reference.
If you want to communicate by using TLS-encrypted methods with the Instana Agent, complete the steps to set up TLS encryption for the agent endpoint.
receivers:
## [REQUIRED] Configures the capture of Windows Event Logs from the "application" channel
windowseventlog:
channel: application
attributes:
type: windows
exporters:
## [REQUIRED] The Instana Agent supports GRPC payloads
otlp/instanaAgent:
## Be sure to set the appropriate HOST:PORT combination.
## Note: The GRPC port will be 4317 (unless port-forwarding is used to change this).
endpoint: "INSTANA_AGENT_HOST:INSTANA_AGENT_GRPC_PORT"
## TLS encryption is disabled in this example.
tls:
insecure: true
processors:
## [OPTIONAL] This is an example log severity parser that sets the **severity_text** field in the log payload, each runs in-order such that the highest matching severity is set.
## Note: If the OpenTelemetry Collector does not set log severity, then the severity is set by Instana when analyzing the log message.
transform/severity_parse:
log_statements:
- context: log
statements:
- set(severity_text, "Info") where IsMatch(body.string, ".*INFO.*")
- set(severity_text, "Warn") where IsMatch(body.string, ".*WARN.*")
- set(severity_text, "Error") where IsMatch(body.string, ".*ERROR.*")
- set(severity_text, "Fatal") where IsMatch(body.string, ".*FATAL.*")
## [REQUIRED] Logs must be sent in batches for performance reasons.
## Note: No additional `batch` processor configuration is provided since configuration depends on the user scenario.
batch: {}
service:
pipelines:
## [REQUIRED] Sample logs pipeline using the above configurations.
logs:
receivers: [windowseventlog]
processors: [transform/severity_parse, batch]
exporters: [otlp/instanaAgent]
Creating customized applications and services logs
Sometimes the application and service logs are not available for collection by the OTEL Collector. In that case, you must create customized applications and services logs by running the following commands:
New-EventLog -LogName "Customlog" -Source "MySource"
Write-EventLog -LogName "Customlog" -Source "MySource" -EntryType Error -EventId 1001 -Message "This is an error message body for testing."
The New-EventLog
cmdlet in PowerShell creates a new event log. However, it doesn't directly create an event with a body and severity. Therefore, to create an event with specific details, including a body and severity, you need
to use the Write-EventLog
cmdlet.
Ingressing the OTEL collector data
You can use the OTEL Collector to ingress data as an administrative or nonadministrative user.
Ingressing data as a nonadministrative user
As a nonadministrative user, complete the following steps to ingress data by using the OTEL Collector:
- On the Windows system or VM, select Start > Settings > Accounts.
- Click Add someone else to this PC.
- From the Local Users and Groups menu, right-click Users and choose Create a new user.
- Add the newly-created user in the Event Log Readers group.
- Follow the steps that are mentioned in the Ingressing data as an administrative user section.
Ingressing data as an administrative user
As an administrative user, complete the following steps to ingress data by using the OTEL Collector:
-
Download the executable binary file, which is packaged as compressed tarballs (
.tar.gz
), from the Windows releases according to your Windows server configuration. Every OpenTelemetry Collector release includes anotelcol.exe
file that you can run after unpacking.For a 64-bit OS, x64-based processor, download the latest
otelcol-contrib_*_windows_amd64.tar.gz
file. -
To start the OTEL collector, run the executable binary file and pass
opentelemetry-collector-config.yaml
as a parameter:C:\Users\Administrator>otelcol-contrib.exe --config opentelemetry-collector-config.yaml
-
To create a custom-made Windows application event log for testing purposes, run the following command:
C:\Users\Administrator>eventcreate /t ERROR /id 123 /L APPLICATION /D "Test log generation_05:52"
-
To fetch all the Windows event application logs, modify the configuration fields in the
opentelemetry-collector-config.yaml
file:receivers: windowseventlog: channel: application
-
To get all the Windows event security logs, modify the following configuration fields in the
opentelemetry-collector-config.yaml
file:receivers: windowseventlog: channel: security
If you want different log types, modify the
channel
field with the type of log required.