Windows Event Logs

LogLogic® Universal Collector can collect Windows Event Logs on Windows systems. However, LogLogic® Universal Collector installed on Linux systems does not contain Windows event collector so Windows event collection on Linux systems is not supported.

The supported Windows versions for remote collection are Windows 2008 R2, Windows 10, Windows 2012 R2, Windows 2016 (64-bit) and Windows 7 (32/64-bit).

Note: LogLogic® Universal Collector must forward Windows logs to the LogLogic LMI appliance by using the ULDP. Windows logs collected by LogLogic® Universal Collector are forwarded in a format which is based upon the Snare over Syslog format. Although Snare over Syslog and Snare formats are not 100% similar, a subtle difference might exist for certain messages. For details, see Event Output Format.

Non-administrator user accounts can collect Windows Event Logs from remote Windows hosts. For administrator user accounts, LogLogic® Universal Collector auto-discovers the platform family and language type of the remote event host. For non-administrator user accounts, you must manually set the platform and language type on each Windows event host by using the advanced option and must set the following configuration settings:

  • Enable the Remote Registry Service on the remote event host
  • On Windows 2008, Windows 7, Windows 2012 systems when collecting Windows Event Logs on Domain member systems, the non-administrator domain user must be added to the Event Log Readers Group of the Domain member systems.
Note: WMI ports must be opened from LogLogic® Universal Collector to the Windows host for successful auto-discovery of the Windows version of the remote log source.