Logging from Windows

[obsolete]

Windows doesn't log exactly like other operating systems. Still, we love logs, so we'll be happy to take them if you're happy to do a little bit of legwork to forward 'em on to us.


Log via nxlog

nxlog is an opensource syslog agent that can be run on Windows. It’s easy to set up syslog over TCP or UDP, event TCP over TLS is simple. It’s very flexible & easy to configure. Their site has an MSI that’s available for download.

Log via Powershell

Windows PowerShell is Microsoft's task automation framework, consisting of a command-line shell and associated scripting language built on top of, and integrated with the .NET Framework. Logging out of PowerShell can be done with a simple POST to Loggly's input APIs:

$url="https://logs.loggly.com/inputs/dddef1fb-5214-4106-9ddd-6956201cddce"
$webClient = New-Object System.Net.WebClient
$webClient.UploadString($url,"Bill Gates was here.")

To test, you can paste the above strings straight into the PowerShell terminal (editing your input key of course).

Once the event makes its way into Loggly, you can search for it.

Log via Snare

Snare is a group of open-source agents used to collect audit log data from a variety of operating systems and applications to facilitate centralized log analysis. It's one of the better solutions for forwarding logs off a Windows box into a central syslog based server.

Download Snare

.Net Framework

Karl Seguin has written a nice little .NET driver which is housed on Github: https://github.com/karlseguin/loggly-csharp. The driver allows you to use HTTP/HTTPS inputs to send events into Loggly. After you send in events, you can search for them.

Start by creating a HTTP input in your account, then hop over to Karl's project to install and configure the driver.

Sending

Create a new Logger with your input key:

var logger = new Logger(“my-long-key-that-i-got-when-setting-up-my-http-input”);

Note: You can use either a synchronous or asynchronous logging method when sending.

You can also send logs to Loggly using plain Powershell:

$url="your http input url"
$webClient = New-Object System.Net.WebClient
$webClient.UploadString($url,"Hello from Powershell !")

Searching

Setup the username/password you want to connect with:

LogglyConfiguration.Configure(c => c.AuthenticateWith(“username”, “password”));

Next, create a searcher with your domain:

var searcher = new Searcher(“mydomain”);

You'll use the various search methods to conduct your searches.

Note: Searching is a synchronous process.

Log via NTSyslog

NTSyslog is a MSI program for Windows which runs as a service. It formats all system, security, and application events into a single line and forwards them to a remote syslog service.  In order to use NTSyslog effectively with Loggly we recommend using a Syslog aggregator that relays logs collected by NTSyslog to Loggly via TLS, UDP, or TCP.  If you need help getting a Syslog aggregator up and running please email support@loggly.com.  When setting up NTSyslog click "Syslog Daemons" and enter your Syslog aggregators DNS alias on the local network or use its IP address.  

Download NTSyslog

Logging multi-line events

Use .NET to get newly written events and then send them over HTTPS/JSON.

Check out EventLoggly, written by our friend MichaelGG.

Top