Is there functionality to ship eventlogs to a remote server

randomvariable / logstash-windows-eventlog

An input plugin for Logstash which supports the newer ETW logging format.

8 stars 3 forks source link

Is there functionality to ship eventlogs to a remote server #1

Closed danfoxley closed 10 years ago

danfoxley commented 10 years ago

From what I gather, events logs are required to be centralized using Group Policy, then digested with a running instance of logstash on the local windows host. Do I have that right? Is there and option to have logstash-windows-eventlog ship the events to a remote host directly?

randomvariable commented 10 years ago

That's just the way I set it up at my organisation, i.e. I had used Group Policy, and then configured Logstash to subscribe to the "Forwarded Events" - the plugin is agnostic towards which particular logs you want to ship.

We didn't have a good config management solution for Windows, so it was easier to centralise the logs via Group Policy itself, but I'm more likely to do what you're suggesting going forwards, probably using Puppet or PowerShell DSC to install Logstash on all the Windows hosts.

danfoxley commented 10 years ago

Thanks for the reply.

My concern with putting Logstash on each WIndows host, is the requirement for Java. I'd rather use "Forwarded Events" than install Logstash on each server.

Having logstash-windows-eventlog do the shipping of events to central Logstash server, seemed like a nice alternative. I was just wondering if this project would be headed in that direction, sounds like it is not. Thanks for you time.

randomvariable commented 10 years ago

Yes, I had the same concern. I think in the long term, I'll use the Lumberjack protocol and provide a pure .NET or Win32 implementation.