Resources | 3 minutes read

How to Centralize Windows Logs with LogDNA

How to Centralize Windows Logs with LogDNA

The need to centralize Windows Logs

There is valuable information in your Windows server event logs for security, access and more which is critical when you are troubleshooting your Windows instances. You can access the Windows Event Viewer on each of your instances to see logs organized into categories such as System, Security, Application, Setup and more.

Windows log files are stored locally on each server in various directories. Each Windows instance has its own event viewer and each set of applications rarely ever store their logs in C:\logs. When issues arise, logging into each machine to collect logs to diagnose the root cause is painfully manually and you’re out of luck if the system is down. Centralizing windows event logs and log files is a no brainer but the solutions vary in complexity and costs. You can easily send these logs over to LogDNA to centralize and quickly search your logs. 

LogDNA helps you quickly find root causes of failures, diagnose security events and system issues. You pay by your log volume usage and is the simplest, most cost-effective way to centralize your Windows event logs and Windows log files.

This guide will walk you through how to collect logs from Microsoft Windows. Standard windows event channels like security, system, setup, application are supported, as well as custom event channels can be sent to LogDNA through the agent. You can also specify the directories and files that the LogDNA agent should send.

LogDNA Windows Agent

The LogDNA agent is a service that runs on your Windows system and when there are updates in your log files and new windows event logs are added, it will send this over to LogDNA.

How it works

The LogDNA agent authenticates using your LogDNA Ingestion Key and opens a secure web socket to LogDNA’s ingestion servers. It then ‘tails’ for new log data, as well as watches for new files added to your specific logging directories.

To dive deeper, you can view the source code for the logdna-agent on Github

System Requirements

To install the agent through Chocolatey, you will need:

  • Windows 7+/Windows 2003+ (Server Core also, but not Windows Nano Server)
  • Windows PowerShell v2+ (not PowerShell Core aka PowerShell 6 yet)
  • .NET Framework 4.x+

Installation

The LogDNA agent for Windows can be installed using Chocolatey on command line or powershell with administrator privileges.

  1. To install Chocolatey:

    @powershell -NoProfile -ExecutionPolicy Bypass -Command “iex ((new-object net.webclient).DownloadString(‘https://chocolatey.org/install.ps1’))” && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

  2. To install the latest LogDNA agent for Windows, you can run the following command from the command line or PowerShell:

    choco install logdna-agent -y

  3. Add your LogDNA ingestion key for the agent to work (You can get this after you sign up and log into the LogDNA app)

    logdna-agent -k <insert your LogDNA ingestion key>

  4. To grab logs from Windows event channels, you will need to specify which event channel(s), i.e. System, Application, Security, etc.

    logdna-agent -w <comma separated list of event channels>

  5. Run LogDNA agent using nssm

    nssm start logdna-agent

How to Configure the LogDNA Windows agent

Files and Directories

By default. the logs in this directory are monitored:

%ALLUSERSPROFILE%\logs

To add other directories, use

logdna-agent -d C:\path\to\log\folders

To add other files, use

logdna-agent -f C:\path\to\log\folders\my.log

Configuration File

Normally a config file is automatically generated (e.g. when you set a key using -k), but you can create your own config file

C:\ProgramData\logdna\logdna.conf

Check the Readme on Github to learn more about what options are supported in the configuration file

Note, if run into issues with your paths, just make sure to use \\ as a separator:

logdir = C:\\Users\\username\\AppData\\myapp

Here is a sample configuration file

Logdnawindowsconfig

You can view your config file at anytime with this command:

logdna-agent -l

Events

To grab logs from Windows Event Log channels, you will need to specify which event channel(s), i.e. System, Application, Security, etc.

logdna-agent -w <comma separated list of event channels>

Tags

You can tag each agent instance with a tag to be viewed on the LogDNA app.

logdna-agent -t mytag

Viewing your logs in LogDNA

When you log into your LogDNA dashboard, you will see events tagged with your windows source. You can drill in to an event like below to get more details or quickly search for what you need to see.

LogDNA Windows Config File

 

 

 

 

 

 

 

 

 

 

Read Next