Telegraf: Windows Event Log Analytics

Created on 6 Aug 2018 · 19Comments · Source: influxdata/telegraf

Feature Request

With the recent introduction of syslog parsing and increased attention in the Log Analytics space, it would be nice to compliment the syslog Telegraf input with a corresponding log input plugin for Windows. See also - https://community.influxdata.com/t/consuming-windows-event-log/5635

Proposal:

Telegraf Input plugin similar to the syslog input plugin, designed to feed from Windows Event Log (much like Elastic's WinLogBeat )

Current behavior:

n/a

Desired behavior:

Abstract log handling in Influx, with with support for native sources from both Windows and Linux inputs. Specifically, an Event Log telegraf input to complement the syslog input.

Use case: [Why is this important (helps with prioritizing requests)]

My use case: I work for a software vendor looking to use Influx as a telemetry analytics component of an application monitoring platform to be deployed alongside our software installs. The application monitoring platform currently uses ElasticSearch & Beats for log analytics, but with the growth of Elastic metrics handling and Influx's log handling, we're considering unifying both needs on a single platform. It would be a huge reduction in effort for us to reduce our endpoint footprint from telegraf + 3 beats agents down to a single telegraf agent; and our server footprint from two database clusters (Influx and Elastic) to one InfluxDB cluster

More generally, Influx is a cross-platform solution, but there doesn't seem to be much love for the windows side in the new logging functionality. For those of us stuck monitoring endpoints in Windows land, it'd be nice to see the ecosystem continue to provide cross-platform feature parity.

feature request

Source

cruscio

👍21 ❤2

Most helpful comment

Ok, this +30MB binary size was just a result of not using build flags -s -w

anuar45 on 24 Jan 2020

👍3

All 19 comments

Just adding some information, maybe a way to go is via Windows Event Collector

endersonmaia on 21 Aug 2018

Another possible approach is to use nxlog to convert Windows logs to syslog. There is an example from fluentd.

According to Splunk documentation, fetching Windows logs remotely using WMI requires machines to be joined to a domain.

candlerb on 27 Sep 2018

wevutil is also a handy way to access Windows event logs. And of course Get-WinEvent in Powershell can be used similarly to the way Get-Counter works, if extracting data from the CLI is any easier than using the .NET libraries for this. E.g.: Get-WinEvent System; Get-WinEvent "PDW Component Failures"; etc. Can be filtered using -FilterHashTable for performance. For convenience if you run through the Format-List pipe everything is in object format.

Would really love to be able to capture arbitrary logs and providers. Very excited for this feature!

natejgardner on 13 Nov 2018

This feature would be fantastic. With Microsoft monitoring agent, azure log analytics and grafana, I can do some really cool stuff. It'd be fantastic if I could do the same with telegraf/influxdb. It'd be a big lift even if I could just get an ID/timestamp.

sumptersmartt on 12 Apr 2019

Logging windows event log entries into influx would be perfect for us too. We are build up a supervising systems for production machine. The PLC of the machines are writing all errors in windows evet log so it would be great to get this directly into InfluxDB