If you’re investigating incidents on your Windows hosts, sifting through the Event Viewer can be a painful experience. It’s best to collect and ship Windows Events to a separate backend for easier visualization and analysis – but depending on the solution you choose, this can take some significant legwork. Often, this can require manually configuring a 3rd party tool or agent, just to get started.
In this post, I’m going to walk through just how easy it is to collect, parse, and visualize Windows Events from multiple Windows machines with observIQ – all in less than 5 minutes – without needing to set up any 3rd-party tools. No digging around in configuration files to specify log formats or parsing rules – no need to stand up your own backend and storage.
Whether you’re an enthusiast, or an ITOps or Devops professional, observIQ provides tools you need to collect, parse and analyze Windows events, faster and easier than any other solution on the market.
Before We Start: A Few Simple Pre-Reqs
1. Sign-up for an observIQ Cloud Trial
First, sign-up for an observIQ Cloud free 14-day trial – no credit card is required.
2. Choose Your Windows Machines
Next, assemble the list of Windows machines you want to monitor. These can be Windows 10 workstations or servers, ranging from version 2008 – 2019.
3. Verify Your Access
For the selected machines, verify you have both Administrator privileges and RDP (Remote Desktop) access for any remote machines – you’ll need both to install observIQ log agent.
That’s it! Now we’re ready to proceed.
Install observIQ Agents on Your Windows Hosts: A Few Simple Steps
To begin, log into your newly-created observIQ account and follow the 3 simple steps below:
1. Create a Template
Time: [1 minute]
The first thing you’ll need to do is create a Template in observIQ. Navigate to the Fleet > Templates page and click Add Template.
On the Add New Template page, select Windows as the platform, and provide a friendly name for your Template. In this case, we’ll call it something simple: Windows Event Log Template. Next, click Create.
2. Add a Windows Event Log Source to Your Template
Time: [1 minute]
Next, you’ll be taken to your newly-created Windows Event Log Template. From here, we’ll add a Source to our template. Click Add Source.
On the Choose Source Type page, search for Windows Event Log in the list.
On the Configure Source panel, provide a friendly name for your Source. Again, we’ll name it something simple: Windows Event Log Source. Then choose the event channels you’re interested in collecting events from. For this example, let’s leave the 3 default selections for System, Application, and Security, as these are typically the most important channels to monitor.
3. Install the observIQ Log Agent Using a One-Line Installation Command
Time: [3 minutes, (30 seconds per Windows host)]
Next, click Add Agents to generate a one-line agent installation command.
Copy the one-line agent installation command to your clipboard.
Now, we can install the observIQ log agent on each of the Windows hosts. Simply RDP into each system, open the CMD Prompt as an Administrator, paste and run the command. The necessary installation files will be downloaded and installed automatically on your Windows machine in 5-10 seconds.
As each installation succeeds, the agent will be automatically detected by observIQ, and associated with your Template. Configuration is complete!
Now you have the observIQ log agent installed on each of your machines. Each agent is collecting and parsing the Windows Events based on options we’ve selected (Application, System, Security) in our Windows Event Log source that we’ve added to our Template. Let’s go take a look.
Exploring Your Windows Events Discover Page
Return to the Explore > Discover page in observIQ. You’ll now see Windows Events flowing into your account. In the Type column, you’ll see logs from the three channels we selected in our Source, the severity, and a summary of the event as well.
To quickly sort through your logs, you can use observIQ’s dynamic filter bar and easily filter your events by Severity, Agent, Source, or Type.
The moment we created our Windows Event Log Source, Windows Event dashboards were automatically deployed to this account: one for application and system events – one for security events. You can find them on the Explore > Dashboards page.
And there you have it: Windows events in 5 minutes – it’s really that simple with observIQ. With guided configuration, support for popular Sources like Windows Event Log, and automatically installed dashboards, you can easily start analyzing your events in minutes, as opposed to hours or days.
For more information about the other Windows integrations observIQ supports, check out our integrations page: https://observiq.com/integrations/
If you’re interested in starting an observIQ Cloud Trial, you can sign-up here.