Set up a Remote Windows Event Log Source to use a single Sumo Logic Collector to collect Windows event log entries from multiple remote systems.
Note the following about setting up a Remote Windows Event Log Source:
- Remote Windows Event Sources can only be run on, and collect remotely from, systems running Windows Server 2008 (Windows Vista) or later.
- It isn't necessary for the remote systems to have a Sumo Logic collector installed.
- You can specify a comma-separated list of remote hostnames to collect from.
- You'll need to configure a few settings to enable remote access.
To configure a remote Windows Event Log Source
- Complete the prerequisites for collecting remote events.
- In Sumo Logic select Manage Data > Collection > Collection (Manage > Collection in the classic UI).
- Find the name of the installed collector to which you'd like to add a source. Click Add and then choose Add Source from the pop-up menu.
- Select the Windows Event Log source.
- Choose Remote for Type of Windows Source.
- Set the following:
- Name. Type the name you'd like to display for this source in the Sumo Logic Web Application.
- Description. Optional description.
- Windows host(s). Enter one or more hostnames for the Windows machines from which you want to collect Windows Events. If you'd like to collect from more than one remote host, separate the hostnames with a comma. (If you enter more than one hostname, each host must allow event log access from the same domain user. See the prerequisites for more information.) The hostname can be a maximum of 128 characters.
- Source Category. Enter a string to tag the output collected from this source with searchable metadata. For example, typing web_apps tags all the logs from this Source in the sourceCategory field. For more information, see Metadata Naming Conventions.
- Windows Domain. Type the name of the Windows domain, the username for this host, and the password.
- Windows Event Types. Select the event types you want to collect:
- Standard Event Channels. Select the main check box for all types, or individual check boxes for specific types (Security, Application, and/or System).
- Custom Event Channels to specify, in a comma-separated list, the channels you'd like to collect from. If you need help finding channels on the machine where the Source is installed, see Windows Event Source Custom Channels.
- Metadata. Choose whether you would like the collector to minimize the amount of data collected by omitting the full message text of each event. Core metadata fields such as event ID, timestamp, user name, as well as the unformatted event data will still be present. This can reduce data usage and increase event throughput, but will prevent many dashboards and apps from correctly extracting data.
- Collection should begin. Choose how far back you'd like to begin collecting historical logs. For example, choose 7 days ago to begin collection with logs generated seven days ago. To begin more recently, choose 24 hours.
- Security Identifier. Newer collectors can map security identifiers (SIDs) to usernames. Choose:
- Both Security Identifier and Username
- Security Identifier Only
- Username Only
- Create any Processing Rules you'd like for the new source.
- Click Save.
You can return to this dialog and edit the settings for the source at any time.