How to Get Windows Logs into Immediate Insight
The logsender.ps1 Powershell script will send all logs from $logSrc to Immediate Insight. Unlike many other systems, Windows does not send out logs directly via syslog. Many organizations use agent software (e.g. SNARE) to gather Windows logs, if you have such as solution in place you can forward the logs from that solution to Immediate Insight. However if you don’t have such a solution in place, the free scripts below provide another method to retrieve Windows logs into Immediate Insight.
** Do not use this script for sending Security logs **
** Use the securityLogSender.ps1 script instead **
The scripts described in this article can be obtained by emailing firstname.lastname@example.org.
Immediate Insight must be running and reachable from the Windows Server where this data transfer agent is installed.
- Edit /home/insight/app/search/tools/windows/logSender.ps1
$iiIP = '' (example: ‘10.140.2.45’)
$iiPort = '' (example: ‘3000’)
$protocol = '' (example: ‘UDP’)
$localLog = '’ (example: ‘c:usersAdministratoriiLogSender.log’)
Specify the log source’s Full Name (may be different from the display name). Note: Security logs are not supported with this particular script.
$logSrc = 'System'
Right click, Properties on the log to view its Full Name, for example:
Set the logging level
Y means the header + message are sent.
N means only the message is sent.
$sendEntireLog = 'Y'
Keep a copy of each log in the $localLog
$copyLogLocally = 'N'
- Copy logSender.ps1 to Windows Server (i.e. home directory for administrator account).
- In the Computer Management utility on the Windows Server to be monitored:
- Right click the log category (must be the same as $logSrc defined in the PowerShell script) and select the 'Attach a Task To this Log...' menu choice.
- For the action, select 'Start a Program' and enter:
Add arguments: -file path to the copied logSender.ps1
How the arguments looks exactly may depending on where you put things and your user account privileges. Here is one example;
- After adding the task
Open the Task Scheduler node
Select 'Event Viewer Tasks'
Select the task you added in the previous step
Click Properties in the right pane. Action Refresh might be needed if you don't see the new task.
Set the following property:
General tab: Run whether user is logged on or not
- After editing the properties,
Disable then Enable the new task. It will run automatically when a new event arrives.
- On the Immediate Insight server, create a data collector for the $iiport and $protocol defined in step 1.
Note: the name of the source data collector is added as metadata to each event from the source so naming the collectors can help isolate data when searching.
Note: if Immediate Insight brings individual Windows logs in on multiple lines, you can give it help figuring out when one event starts and the other ends with the help of the Multiline delimiter (Configured on the Collector). For example in some environments the following works well:
Note: you will need to repeat this procedure a separate copy of LogSender.ps1 (save it will a different file name, so that is can be Attached as separate Task), if you wish to forward other categories of Windows logs such as for example $logSrc = ‘Application’