How to Collect and Visualize Windows Events From 5 Hosts in 5 Minutes

How to Collect and Visualize Windows Events From 5 Hosts in 5 Minutes

by Joe Howell on April 14, 2021

Overview

If you’re investigating incidents on your Windows hosts, sifting through the Event Viewer can be a painful experience. It’s best to collect and ship Windows Events to a separate backend for easier visualization and analysis – but depending on the solution you choose, this can take some significant legwork. Often, this can require manually configuring a 3rd party tool or agent, just to get started.

In this post, I’m going to walk through just how easy it is to collect, parse, and visualize Windows Events from multiple Windows machines with observIQ – all in less than 5 minutes – without needing to set up any 3rd-party tools. No digging around in configuration files to specify log formats or parsing rules – no need to stand up your own backend and storage. 

Whether you’re an enthusiast, or an ITOps or Devops professional, observIQ provides tools you need to collect, parse and analyze Windows events, faster and easier than any other solution on the market.

Before We Start: A Few Simple Pre-Reqs

1. Sign-up for an observIQ Cloud Trial

First, sign-up for an observIQ Cloud free 14-day trial – no credit card is required. 

2. Choose Your Windows Machines

Next, assemble the list of Windows machines you want to monitor. These can be Windows 10 workstations or servers, ranging from version 2008 – 2019.

Windows 10 Workstations or Servers

3. Verify Your Access 

For the selected machines, verify you have both Administrator privileges and RDP (Remote Desktop) access for any remote machines – you’ll need both to install observIQ log agent.

That’s it! Now we’re ready to proceed.

Install observIQ Agents on Your Windows Hosts: A Few Simple Steps

To begin, log into your newly-created observIQ account and follow the 3 simple steps below:

1. Create a Template 

Time: [1 minute]

The first thing you’ll need to do is create a Template in observIQ. Navigate to the Fleet > Templates page and click Add Template.

observIQ Add Template

On the Add New Template page, select Windows as the platform, and provide a friendly name for your Template. In this case, we’ll call it something simple: Windows Event Log Template. Next, click Create.

observIQ Create

2. Add a Windows Event Log Source to Your Template

Time:  [1 minute] 
Next, you’ll be taken to your newly-created Windows Event Log Template. From here, we’ll add a Source to our template. Click Add Source.

observIQ Add Source

On the Choose Source Type page, search for Windows Event Log in the list.

Windows Event Log

On the Configure Source panel, provide a friendly name for your Source. Again, we’ll name it something simple:  Windows Event Log Source.  Then choose the event channels you’re interested in collecting events from. For this example, let’s leave the 3 default selections for System, Application, and Security, as these are typically the most important channels to monitor.

Configure Windows Event Log Source

3. Install the observIQ Log Agent Using a One-Line Installation Command 

Time: [3 minutes, (30 seconds per Windows host)]

Next, click Add Agents to generate a one-line agent installation command.

Add Log Agents

Copy the one-line agent installation command to your clipboard.

Copy to Clipboard

Now, we can install the observIQ log agent on each of the Windows hosts. Simply RDP into each system, open the CMD Prompt as an Administrator, paste and run the command. The necessary installation files will be downloaded and installed automatically on your Windows machine in 5-10 seconds.

Install observIQ Log Agent

As each installation succeeds, the agent will be automatically detected by observIQ, and associated with your Template. Configuration is complete!

Configuration Complete

Now you have the observIQ log agent installed on each of your machines. Each agent is collecting and parsing the Windows Events based on options we’ve selected (Application, System, Security) in our Windows Event Log source that we’ve added to our Template.  Let’s go take a look.

Exploring Your Windows Events Discover Page

Return to the Explore > Discover page in observIQ. You’ll now see Windows Events flowing into your account. In the Type column, you’ll see logs from the three channels we selected in our Source, the severity, and a summary of the event as well.

Windows Event Types

To quickly sort through your logs, you can use observIQ’s dynamic filter bar and easily filter your events by Severity, Agent, Source, or Type.

Windows Log Agents

Dashboards

The moment we created our Windows Event Log Source, Windows Event dashboards were automatically deployed to this account: one for application and system events – one for security events. You can find them on the Explore > Dashboards page. 

Application and System Health Dashboard
Application and System Health Dashboard
Security and Logons Dashboard
Security and Logons Dashboard

Wrapping Up

And there you have it: Windows events in 5 minutes – it’s really that simple with observIQ. With guided configuration, support for popular Sources like Windows Event Log, and automatically installed dashboards, you can easily start analyzing your events in minutes, as opposed to hours or days.

For more information about the other Windows integrations observIQ supports, check out our integrations page:  https://observiq.com/integrations/

If you’re interested in starting an observIQ Cloud Trial, you can sign-up here.

Sign Up for the observIQ Cloud Beta

Download the Splunk Solution Brief

Sign Up to receive updates on our products

observIQ Support

For support on observIQ Cloud, please contact:

support@observIQ.com

For the Open Source Log Agent, community-based support is available on our:

GitHub Repository

Sign Up for Our Newsletter