A recommended solution for sending logs from Windows is to use NXLog Community Edition.
The exact steps are following:
Step 1: Install NXLog
Head to NXlog Community Edition download page, download the MSI package and install it.
Step 2: Prepare the config
Open the config file which by default is installed in
C:\Program Files (x86)\nxlog\conf\nxlog.conf and add following entries (administrator privileges are needed to do so).
<Input msevents> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ <Select Path="System">*</Select> \ <Select Path="Security">*</Select> \ <Select Path="Directory Service">*</Select> \ </Query> \ </QueryList> Exec to_syslog_ietf(); Exec $raw_event = to_json(); Exec $raw_event = replace($raw_event, $raw_event, '[LOGSENSE_TOKEN]' + $raw_event); </Input> <Output logsense> Module om_ssl Host logs.logsense.com Port 32614 AllowUntrusted TRUE </Output> <Route logsense_msevents> Path msevents => logsense </Route> <Extension json> Module xm_json </Extension>
In case you are using non-standard environment, make sure that the required modules are also present:
<Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension>
Step 3: Start the service
Open the Services console as (either by going to
Control Panel → System and Security → Administrative Tools → Services.
or by executing
services.msc in the Command Prompt) and
nxlog service. If you’d like the service to start automatically after the reboot you can change the Startup Type to
If it starts without errors, it should start sending
records to logsense.com, where they should be visible in the logs view
(you can put into search box
logs.SourceModuleName=msevents to filter for them).
In case of troubleshooting, nxlog logs are available at
(x86)\nxlog\data\nxlog.log, assuming you have used the default installation folder.