Skip to main content
Sumo Logic

Remote Windows Event Log Source

Set up a Remote Windows Event Log Source to use a single Sumo Logic Collector to collect Windows event log entries from multiple remote systems.

Note the following about setting up a Remote Windows Event Log Source:

  • Remote Windows Event Sources can only be run on, and collect remotely from, systems running Windows Server 2008 (Windows Vista) or later.
  • It isn't necessary for the remote systems to have a Sumo Logic collector installed. 
  • You can specify a comma-separated list of remote hostnames to collect from.
  • You'll need to configure a few settings to enable remote access.

To configure a remote Windows Event Log Source

  1. Complete the prerequisites for collecting remote events.
  2. In Sumo Logic select Manage Data > Collection > Collection.
  3. Find the name of the installed collector to which you'd like to add a source. Click Add and then choose Add Source from the pop-up menu.
  4. Select the Windows Event Log source.
  5. Choose Remote for Type of Windows Source.
  6. Set the following:
    • Name. Type the name you'd like to display for this source in the Sumo Logic Web Application. 
    • Description. Optional description.
    • Windows host(s). Enter one or more hostnames for the Windows machines from which you want to collect Windows Events. If you'd like to collect from more than one remote host, separate the hostnames with a comma. (If you enter more than one hostname, each host must allow event log access from the same domain user. See the prerequisites for more information.) The hostname can be a maximum of 128 characters.
    • Source Category. Enter a string to tag the output collected from this source with searchable metadata. For example, typing web_apps tags all the logs from this Source in the sourceCategory field. For more information, see Metadata Naming Conventions. If the source you are configuring is on the same installed collector as a Docker log source, you can construct the Source Category metadata field using Docker variables. For more information, see Configuring sourceCategory using variables below.
    • Windows Domain. Type the name of the Windows domain, the username for this host, and the password.
    • Windows Event Types. Select the event types you want to collect:
      • Standard Event Channels. Select the main check box for all types, or individual check boxes for specific types (Security, Application, and/or System).
      • Custom Event Channels to specify, in a comma-separated list, the channels you'd like to collect from. If you need help finding channels on the machine where the Source is installed, see Windows Event Source Custom Channels

      windows_file_source_event_types.png

    • Metadata. Choose whether you would like the collector to minimize the amount of data collected by omitting the full message text of each event. Core metadata fields such as event ID, timestamp, user name, as well as the unformatted event data will still be present. This can reduce data usage and increase event throughput, but will prevent many dashboards and apps from correctly extracting data.

      Metadata options

    • Collection should begin. Choose or enter how far back you'd like to begin collecting historical logs. You can either:
      • Choose a predefined value from dropdown list, ranging from “Now” to “24 hours ago” to “All Time”, or
      • Enter a relative value. To enter a relative value, click the Collection should begin field and press the delete key on your keyboard to clear the field. Then, enter a relative time expression, for example “-1w”. You can define when you want collection to begin in terms of months (M), weeks (w), days (d), hours (h) and minutes (m).
    • Security Identifier. Newer collectors can map security identifiers (SIDs) to usernames. Choose:
      • Both Security Identifier and Username
      • Security Identifier Only
      • Username Only
    • Create any Processing Rules you'd like for the new source.
  7. Click Save.

You can return to this dialog and edit the settings for the source at any time.

Configuring sourceCategory using variables

In collector version 19.216-22 and later, if you have a Docker logs source on the same installed collector where you are configuring the new source, you can define the sourceCategory (and sourceHost, if the source supports that field) for the new source using system environment variables defined on the collector’s host. To do so, specify the environment variables to include the metadata field in this form:

{{sys.VAR_NAME}} 

Where VAR_NAME is an environment variable name, for example:

{{sys.PATH}}

You can use multiple variables, for example:

{{sys.PATH}} - {{sys.YourEnvVar}}

You can incorporate text in the metadata expression, for example:

AnyTextYouWant {{sys.PATH}} - {{sys.YourEnvVar}}

If a user-defined variable doesn’t exist, that portion of the metadata field will be blank.