Complimentary Gartner® Report! 'A CTO's Guide to Open-Source Software: Answering the Top 10 FAQs.'Read more
Technical “How-To’s”

How to Collect and Ship Windows Events Logs with OpenTelemetry

Paul Stefanski
Paul Stefanski
Share:

If you're using Windows, you'll want to monitor Windows Events. With our latest contribution to observIQ’s distribution of the OpenTelemetry Collector, you can easily monitor Windows Events with OpenTelemetry. You can utilize this receiver in conjunction with any OTel Collector, including the OpenTelemetry Collector and observIQ’s distribution of the collector.

Below are steps to get up and running quickly with observIQ’s distribution and shipping Windows Event logs to a popular backend: Google Cloud Ops. You can find out more about it on observIQ’s GitHub page.

What signals matter?

Windows Events logs record many operating system processes, application activity, and account activity. Some relevant log types to monitor include:

  • Application Status
    • Contains information about applications installed or running on the system. If an application crashes, these logs may include an explanation for the crash.
  • Security Logs
    • Contains information about the system’s audit and authentication processes. If a user attempts to log into the system or use administrator privileges
  • System Logs
    • Contains information about Windows-specific processes, such as driver activity.

All of the above categories can be gathered with the Windows Events receiver – so let’s get started.

Related Content: How to Install and Configure an OpenTelemetry Collector

Before you begin

If you don’t already have an OpenTelemetry collector built with the latest Windows Events receiver installed, you’ll need to do that first. We suggest using observIQ’s distribution of the OpenTelemetry Collector, which includes the Windows Events receiver (and many others) and is simple to install with our one-line installer.

Configuring the Windows Events receiver

You can go ahead and navigate to your OpenTelemetry configuration file. If you’re using the observIQ Collector, you’ll find it at the following location:

  • C:\Program Files\observIQ OpenTelemetry Collector\config.yaml (Windows)

Edit the configuration file to include the Windows Events receiver as shown below:

yaml
1receivers:
2    windowseventlog:
3        channel: application

You can edit the specific output by adding/editing the following directly below the receiver name and channel:

yaml
1{
2    "channel": "Application",
3    "computer": "computer name",
4    "event_id":
5    {
6        "id": 10,
7        "qualifiers": 0
8    },
9    "keywords": "[Classic]",
10    "level": "Information",
11    "message": "Test log",
12    "opcode": "Info",
13    "provider":
14    {
15        "event_source": "",
16        "guid": "",
17        "name": "otel"
18    },
19    "record_id": 12345,
20    "system_time": "2022-04-15T15:28:08.898974100Z",
21    "task": ""
22}

Configuring the Log Fields

You can adjust the following fields in the configuration to adjust what types of logs you want to ship:

FieldDefaultDescription
channelrequiredThe windows event log channel to monitor
max_reads100On first startup, where to start reading logs from the API. Options are beginning or end
start_atendNumber of client connections (excluding connections from replicas)
poll_interval1sThe interval at which the channel is checked for new log entries. This check begins again after all new bodies have been read.
attributes{}A map of key: value pairs to add to the entry's attributes.
resource{}A map of key: value pairs to add to the entry's resource.
operators[]An array of operators. See below for more details
converter{ max_flush_count: 100, flush_interval: 100ms, worker_count: max(1,runtime.NumCPU()/4) }A map of key: value pairs to configure the [entry.Entry][entry_link] to [pdata.LogRecord][pdata_logrecord_link] converter, more info can be found [here][converter_link]

Related Content: Configuration Management in BindPlane OP

Operators

Each operator performs a simple responsibility, such as parsing a timestamp or JSON. Chain together operators to process logs into a desired format.

  • Every operator has a type.
  • Every operator can be given a unique ID. If you use the same type of operator more than once in a pipeline, you must specify an ID—otherwise, the ID defaults to the value of type.
  • Operators will output to the next operator in the pipeline. The last operator in the pipeline will emit from the receiver. Optionally, the output parameter can specify the ID of another operator to which logs will be passed directly.
  • Only parsers and general-purpose operators should be used.

observIQ’s distribution of the OpenTelemetry collector is a game-changer for companies looking to implement OpenTelemetry standards. The single-line installer, seamlessly integrated receivers, exporter, and processor pool make working with this collector simple. Follow this space to keep up with all our future posts and simplified configurations for various sources. For questions, requests, and suggestions, contact our support team at support@observIQ.com.

Paul Stefanski
Paul Stefanski
Share:

Related posts

All posts

Get our latest content
in your inbox every week

By subscribing to our Newsletter, you agreed to our Privacy Notice

Community Engagement

Join the Community

Become a part of our thriving community, where you can connect with like-minded individuals, collaborate on projects, and grow together.

Ready to Get Started

Deploy in under 20 minutes with our one line installation script and start configuring your pipelines.

Try it now