You'll need to edit your collector.conf
Use powershell to list event log names: Get-EventLog -list
Then, edit your collector.conf to add the logs you wish to monitor. You'll
have to specify each log separately. I haven't seen a way to monitor them
all. Perhaps someone else knows a way.
For Example:
inputs {
win-eventlog-application {
type = "windows-eventlog"
source-name = "Application"
poll-interval = "1s"
}
win-eventlog-system {
type = "windows-eventlog"
source-name = "System"
poll-interval = "1s"
}
win-eventlog-security {
type = "windows-eventlog"
source-name = "Security"
poll-interval = "1s"
}
win-eventlog-security {
type = "windows-eventlog"
source-name = "HardwareEvents"
poll-interval = "1s"
}
win-eventlog-security {
type = "windows-eventlog"
source-name = "Internet Explorer"
poll-interval = "1s"
}
win-eventlog-security {
type = "windows-eventlog"
source-name = "Key Management Service"
poll-interval = "1s"
}
}
Save your config then restart the collector.
To test, I used powershell to send some logs.
New-EventLog -LogName "HardwareEvents" -Source "Test Source"
Write-EventLog -LogName "HardwareEvents" -Source "Test Source" -EntryType
"Information" -Message "test message" -EventId 1
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/bedebfd9-f257-48e8-ad0a-e073b3b113c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
