Last updated at Fri, 03 Nov 2017 19:33:51 GMT
It seems like everyone in DevOps has been talking about JSON recently – JSON is hot!
Logentries has written a few posts covering this topic, covering What is JSON, Common Problems Solved with JSON, and our Exporting as JSON. However we thought it would be beneficial to dive into some more specific applications. We already wrote about a few, namely JSON and Apache/Nginx and Django, now we’ll tackle a different beast.
Let’s explore JSON formatting of Windows events.
To say the Windows Event Log format is unique is an understatement.
It’s not easy to read unless you’re in the Windows EventLog Viewer. It’s not entirely helpful when trying to parse out important information and it’s downright wordy, which you can see in the example below.
Windows has always marched to the beat of a different drum; whether it be logging, management, or software deployments. Anyone who has ever managed a Windows environment can appreciate the nuances that come with it.
With the Logentries Windows Agent, it’s always been easy to get logs into the Logentries platform.
But it was never easy to get logs from Windows formatted into JSON for our advanced functions and analytics.
Now, with a few easy steps Logentries’ customers can send Windows Event Logs as JSON both directly to Logentries and through our DataHub component.
First, we need to install NXLOG, which is an open source multi-platform log collector.
One of the unique things about NXLOG, is that it can collect and forward logs to other locations – even another local log file. Installing NXLOG is as easy as downloading the MSI package and clicking install.
DataHub/Syslog Configuration
If you’re currently using the Logentries DataHub, you can use NXLOG to send via syslog directly to your DataHub. You’ll need to download our NXLOG DataHub compatible configuration file and place it into your NXLOG installation path (typically C:\Program Files (x86)\NXLOG\CONF).
You’ll then need to make the following changes to that file:
- If for some reason NXLOG gets installed to C:\Program Files instead of C:\Program Files (x86), you’ll need to uncomment the ROOT definition at the start of the config file for the proper installation directory.
- If you’re utilizing Windows 2003 or prior, you’ll need to change the EventLog format to mseventlog instead of msvistalog.
- At the bottom of the file you’ll need to enter in your DataHub IP and Port in the output definition.
- Start NXLOG from the Services application.
Thats it!
Your Windows server will now send JSON formatted event logs to your DataHub!
Direct Agent Configuration
Using the Windows Agent in Logentries has the added benefit of sending over system statistics as well (CPU, Memory, Network, etc). The configuration is very similar, but has a few more steps included to allow for the Windows Agent to follow the JSON converted files.
Similarly, you’ll need to download the NXLOG configuration file for use with the Agent and place it into your NXLOG installation path.
The NXLOG program acts as a JSON parser in this instance, reading in the Windows Event Logs and outputting it to a flat file the Windows Agent can then follow.
You’ll need to perform the following steps:
- If for some reason NXLOG gets installed to C:\Program Files instead of C:\Program Files (x86) – you’ll need to uncomment the ROOT definition at the start of the config file for the proper installation directory.
- If you’re utilizing Windows 2003 or prior you’ll need to change the EventLog format to mseventlog instead of msvistalog.
- At the bottom of the file is an area where we define the output file. Currently it’s outputting to C:\test\eventlog.txt. You’ll want to change this to a more suitable location that meets your needs.
- Start NXLOG from the Services application.
- Follow the file defined in step 3 with the Windows Agent – and uncheck the other Windows Event Logs from being followed.
You’ll now get beautifully crafted JSON event log messages that can be sliced and diced with all of our advanced functions and analytics.
For a crash course on how to implement JSON formatting of IIS – check out our follow up post!
Interested in exploring how your business can format windows events in JSON? Register for a Free Logentries Account Today.