Collecting Windows Event logs with OpenTelemetry

You can collect logs from Windows-based operating systems and send them to Instana by using the OpenTelemetry (OTEL) Collector. Instana can receive OTEL logs through different mechanisms. For more information, see Configuring OpenTelemetry data ingestion.

Types of Windows Event logs

The Windows Event Log Receiver receiver collects logs from Windows Event log API, which include the following:

  • Windows logs

    • Application
    • Security
    • Setup
    • System
    • Forwarded events
  • Applications and services logs

Both administrator and normal users can import Windows event logs.

Collecting Windows Event logs

You must configure the OpenTelemetry Collector to collect the Windows event logs and sends them to Instana for monitoring and analysis.

Configuring the OTEL collector for Windows logs

Download the otelcol-contrib executable binary file from the Windows releases according to your Windows server configuration. The OTEL Collector Contrib package includes community-driven open source features that are necessary to collect and send logs to Instana. Configure the OTEL Collector to collect Windows event log data by using the windowseventlog receiver and forward the log data to the Instana agent's OTLP Endpoint. To configure the OTEL Collector, use the following example as a reference.

If you want to communicate by using TLS-encrypted methods with the Instana Agent, complete the steps to set up TLS encryption for the agent endpoint.

receivers:
  ## [REQUIRED] Configures the capture of Windows Event Logs from the "application" channel
  windowseventlog:
    channel: application
    attributes:
      type: windows

exporters:
  ## [REQUIRED] The Instana Agent supports GRPC payloads
  otlp/instanaAgent:
    ## Be sure to set the appropriate HOST:PORT combination.
    ## Note: The GRPC port will be 4317 (unless port-forwarding is used to change this).
    endpoint: "INSTANA_AGENT_HOST:INSTANA_AGENT_GRPC_PORT"
    ## TLS encryption is disabled in this example.
    tls:
      insecure: true

processors:
  ## [OPTIONAL] This is an example log severity parser that sets the **severity_text** field in the log payload, each runs in-order such that the highest matching severity is set.
  ## Note: If the OpenTelemetry Collector does not set log severity, then the severity is set by Instana when analyzing the log message.
  transform/severity_parse:
    log_statements:
      - context: log
        statements:
          - set(severity_text, "Info") where IsMatch(body.string, ".*INFO.*")
          - set(severity_text, "Warn") where IsMatch(body.string, ".*WARN.*")
          - set(severity_text, "Error") where IsMatch(body.string, ".*ERROR.*")
          - set(severity_text, "Fatal") where IsMatch(body.string, ".*FATAL.*")

  ## [REQUIRED] Logs must be sent in batches for performance reasons.
  ## Note: No additional `batch` processor configuration is provided since configuration depends on the user scenario.
  batch: {}

service:
  pipelines:
    ## [REQUIRED] Sample logs pipeline using the above configurations.
    logs:
      receivers: [windowseventlog]
      processors: [transform/severity_parse, batch]
      exporters: [otlp/instanaAgent]

Creating customized applications and services logs

Sometimes the application and service logs are not available for collection by the OTEL Collector. In that case, you must create customized applications and services logs by running the following commands:

New-EventLog -LogName "Customlog" -Source "MySource"
Write-EventLog -LogName "Customlog" -Source "MySource" -EntryType Error -EventId 1001 -Message "This is an error message body for testing."

The New-EventLog cmdlet in PowerShell creates a new event log. However, it doesn't directly create an event with a body and severity. Therefore, to create an event with specific details, including a body and severity, you need to use the Write-EventLog cmdlet.

Ingressing the OTEL collector data

You can use the OTEL Collector to ingress data as an administrative or nonadministrative user.

Ingressing data as a nonadministrative user

As a nonadministrative user, complete the following steps to ingress data by using the OTEL Collector:

  1. On the Windows system or VM, select Start > Settings > Accounts.
  2. Click Add someone else to this PC.
  3. From the Local Users and Groups menu, right-click Users and choose Create a new user.
  4. Add the newly-created user in the Event Log Readers group.
  5. Follow the steps that are mentioned in the Ingressing data as an administrative user section.

Ingressing data as an administrative user

As an administrative user, complete the following steps to ingress data by using the OTEL Collector:

  1. Download the executable binary file, which is packaged as compressed tarballs (.tar.gz), from the Windows releases according to your Windows server configuration. Every OpenTelemetry Collector release includes an otelcol.exe file that you can run after unpacking.

    For a 64-bit OS, x64-based processor, download the latest otelcol-contrib_*_windows_amd64.tar.gz file.

  2. To start the OTEL collector, run the executable binary file and pass opentelemetry-collector-config.yaml as a parameter:

    C:\Users\Administrator>otelcol-contrib.exe --config opentelemetry-collector-config.yaml
    
  3. To create a custom-made Windows application event log for testing purposes, run the following command:

    C:\Users\Administrator>eventcreate /t ERROR /id 123 /L APPLICATION /D "Test log generation_05:52"
    
  4. To fetch all the Windows event application logs, modify the configuration fields in the opentelemetry-collector-config.yaml file:

    receivers:
      windowseventlog:
        channel: application
    
  5. To get all the Windows event security logs, modify the following configuration fields in the opentelemetry-collector-config.yaml file:

    receivers:
      windowseventlog:
        channel: security
    

    If you want different log types, modify the channel field with the type of log required.