Skip to main content
Sumo Logic

Prerequisites for Windows Log Collection

 

Sumo Logic requires a few extra steps when you set up collections in a Windows environment situations. For remote file collections from Windows systems, choose one of these two methods as described in this topic:

  • Set up a UNC Share Path to collect Windows logs using CIFS/SMB
  • Set up a third-party tool on the target system to handle SSH

Collect Windows Logs from a UNC Share Path

As an alternative to using SSH for remote Windows collections, Sumo Logic Collectors can collect files remotely using CIFS/SMB by configuring a Local File Source (not a Remote File Source) with a UNC share path.

Here is an overview of the required steps:

The Collector must reside within the same Active Directory domain as the target host, and the target host must allow access without requiring a password.

Step 1. Install a Sumo Logic Collector.

Install the Sumo Logic Collector on a machine within the same Active Directory domain as the target system where files reside.

Step 2. Set UNC share permissions.

  1. Set up the UNC share permissions (Share with "Everyone" and "Read-Only") for the folder on the target machine.
    • Open Explorer in the machine where the files reside.
    • Right-click the log directory, and select Properties.
    • Click Advanced Sharing.
    • In the Advanced Sharing dialog, give the log directory a share name (or just use the actual folder name), and then click Permissions.
    • Set the permissions for Everyone to Read.
      NOTE: The Collector runs in the System context and cannot use drive mappings created by users who logon via interactive login. For example, if you map the network drive \\192.168.0.16\logs toZ:\logs, the Collector will not be able to access the Z:\ drive. Instead, specify the full UNC path in your Source Path Expression (i.e., \\192.168.0.16\logs\filename.log) and set the permissions on the remote share to allow Read access to Everyone.
      Win-UNC-share-permissions-sm.png
  2. Click OK. When the Permissions dialog closes, you will see your UNC path listed under Network Path. This is the exact path you will enter when you are configuring a Local File Source in the Sumo Logic Web Application.
    Win-UNC-path.png
  3. Verify that you have set up the share correctly. Open Explorer on the machine where the Collector is installed. Type in the UNC share path. If you can see the log files listed, you can collect them. If Explorer asks you to enter a password, then you have not set up permissions correctly. Make sure that permissions for the folder are set to "Everyone" and "Read-Only."
  4. From the Sumo Logic Web Application, create a new Local File Source.
  5. Enter the file path to the UNC share. For this example, the UNC path looks like this: 
    \\WIN-QR0406514NE\c$\LogFiles\*

In general, a UNC path has this format: \\server\share\file_path.

  1. The server portion of a UNC path references the server name set by a system administrator, or an IP address. The share portion of a UNC name references a labeled share point created by an administrator, as in Step 2. The file path portion of a UNC name references the local sub-directories beneath the share point.
  2. Save your Local File Source configuration. Wait a few seconds, and then click the Status tab to check the message volume for the Collector.

Use a third-party client to handle SSH in Windows

There are two options for collecting Windows logs remotely:

  • Set up a Local File Source to collect (remote files) via CIFS/SMB. Learn more.
  • Set up a Remote File Source to collect via SSH. This topic describes steps to enable SSH collection.

Windows does not handle SSH natively. You will need to install a third-party product (OpenSSH) to enable this type of collection.

To install OpenSSH and Cygwin:

ssh mandy@192.168.1.114

(enter password)

tail -f –n+1 /cygdrive/c/mandy\ test/6.log

  1. Download OpenSSH from Sourceforge.
  2. Install OpenSSH. to C:\OpenSSH or another directory.
  3. Download and install Cygwin.
  4. Open a cmd window and start the SSH service: run "net start opensshd".
  5. SSH the window system. Verify that SSH works and that you can tail a file. For example, for a user called "mandy" run command in terminal:

When you configure the Remote File Source to collect from the Windows machine, make sure to:

  1. Specify the host as the Windows system.
  2. Specify the File path starting with /cygdrive. For example, enter "/cygdrive/c/mandy\ test/6.log" in the File field if the path is "C:\mandy test\6.log".

Use "\" to escape any spaces if they are present in the file path.