Set Up Windows Event Monitoring
Windows event log is generated by Windows operating system to record the events related to OS operations, file access, user access, and applications running on it. These event logs can provide insights about security and application performance and issues.
The types of events logged in the Windows Event logs are broadly classified as below:
-
Application: Errors and events related to the application installed on the Windows instance.
-
Security: File and user access events. These are recorded through Windows auditing.
-
Setup: Installation related events.
-
System: Record of events related to Windows OS system and its components.
Oracle Logging Analytics provides Oracle-defined log sources to match the Windows event classification to be able to process all kinds of collected data:
-
Windows Application Events
-
Windows Security Events
-
Windows Setup Events
-
Windows System Events
Oracle Logging Analytics can collect all historic Windows Event Log entries and supports Windows as well as other custom event channels.
Overall Flow for Collecting Windows Event Logs
The following are the high-level tasks for collecting log information from your host:
-
Install Management Agents on your Windows hosts. See Set Up Continuous Log Collection From Your Hosts.
-
Create the Windows entity. See Create an Entity to Represent Your Log-Emitting Resource.
- Identify a log source from the existing set of sources, both Oracle-defined and user-defined. If the existing source is not suitable for your requirement, then create a source. See Create a Windows Event Source.
-
Associate the entities with the source that you created earlier. See Configure New Source-Entity Association.
After the association is complete, the logs start flowing into Oracle Logging Analytics.
-
View log data in the Log Explorer by selecting the Windows Event source that you created earlier. See Filter Logs by Source Attributes.
Create a Windows Event Source
Oracle Logging Analytics already provides several Oracle-defined log sources for Windows Event collection.
Oracle Logging Analytics already provides several Oracle-defined log sources for syslog collection. Check if you can use one of the available Oracle-defined or user-defined sources. If not, use the following steps to create a new log source:
-
Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.
The administration resources are listed in the left hand navigation pane under Resources. Click Sources.
The Sources page opens. Click Create Source.
-
In the Name field, enter the name of the source.
Optionally, add a description.
-
From the Source Type list, select Microsoft Windows. With this option, all historic Windows Event Log entries as well as records from custom event channels can be collected.
This source type does not require the field Log Parser. Also, the default entity type
Host (Windows)is automatically selected, and cannot be changed. -
Specify an event service channel name. The channel name must match with the name of the Windows event so that the agent can form the association to pick up logs.
-
To filter the Windows events with specific event IDs, add Data Filters. See Use Data Filters in Sources.
-
Click Create Source.