How Would You Read Server Log Files in Your Project?

Centralizing Windows Logs

You can apply the tools in this commodity to centralize your Windows upshot logs from multiple servers and desktops. By properly administering your logs, yous can rail the health of your systems, keep your log files secure, and filter contents to observe specific information.

Why Centralize Logs?

Centralizing your logs saves time and increases the reliability of your log information. When Windows log files are stored locally on each server, you take to individually log in to each one to get through them and look for any errors or warnings. If the server is unresponsive, you lot might be out of luck. If you aren't sure which servers are affected, you accept to hunt through each one, which can take a long time on big networks. The log files are too safer in a centralized location considering even when your instances are terminated or your files are deleted (intentionally or unintentionally), the centralized fill-in copies of your logs are unaffected.

Windows Event Subscription

Information technology is possible for a Windows server to forward its events to a collector server. In this scenario, the collector server becomes a central repository for Windows logs from other servers (called consequence sources) in the network. The stream of events from a source to a collector is called a subscription.

This process demonstrates how to set it up. These steps piece of work on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2019.

Example System

We are using 2 Agile Directory Domain–joined Windows Server 2012 systems. The domain name is mytestdomain.com and both machines are registered with the domain.

Source server MYTESTSQL hosts a SQL Server 2014 case. Collector server MYTESTSERVER works as an event log subscriber to centralize all SQL Server-related logs from MYTESTSQL.

Setup

Enable the Windows Remote Management Service

Windows Remote Management (WinRM) is a protocol for exchanging information across systems in your infrastructure. You must enable information technology on each of your source computers to exchange log files.

1. Remotely log into the source computer (MYTESTSQL) as a local or domain administrator.
2. Enable Windows Remote Management Service from a Command Prompt:

   winrm quickconfig

   If it is already running, a message similar to this example is displayed.

Configure the Windows Event Collector Service

Y'all must enable the Windows Event Collector Service on your collector server to allow it to receive logs from your sources.

1. Remotely log into the collector computer (MYTESTSERVER) as a local or domain administrator.
2. Configure the Windows Outcome Collector Service from a Command Prompt:

   wecutil qcin

   If prompted similar the instance, press y

Configure the Event Log Readers Group

Past default, certain logs are restricted to administrators. This may cause problems when receiving logs from other systems. To avoid this, you lot can grant access to the collector figurer by adding it to the Outcome Log Readers group.

1. Go back to the source computer (MYTESTSQL).
2. Open Server Managing director.
3. Open Computer Management.
4. Aggrandize Local Users and Groups node from the Navigation pane and select Groups.
5. Double-click Effect Log Readers.
6. Click Add to open the Select Users, Computers, Service Accounts, or Groups dialog.
7. Click Object Types.
8. Check Computers and click OK.
   
9. Enter MYTESTSERVER as the object proper name and click Cheque Names. If the computer business relationship is found, it is confirmed with an underline.
10. Click OK twice to shut the dialog boxes.
    

Configure Windows Firewall

If the source figurer is running Windows Firewall, ensure it allows Remote Event Log Direction and Remote Event Monitor traffic.

Create a Subscription

Subscriptions define the relationship between a collector and a source. You tin can configure a collector to receive events from any number of sources (a source-initiated subscription), or specify a limited set up of sources (a collector-initiated subscription). In this case, nosotros create a collector-initiated subscription since nosotros know which computer logs we want to receive.

1. Outset the Outcome Viewer application on the collector server MYTESTSERVER.
2. Select Subscriptions from the Navigation pane
3. Click Create Subscription in the Actions pane.
   
4. On the Subscription Backdrop, enter the following as shown in the instance:
   Subscription name: MYTESTSQL_EVENTS
   Description: Events from remote source server MYTESTSQL
   Destination log: Forwarded Events
   Select Collector initiated and click Select Computers to open up the Computers dialog.
   
5. Click Add Domain Computers.
6. Enter MYTESTSQL as the object name and click Cheque Names. If the computer is found, information technology is confirmed with an underline.
7. Click OK.
   
8. Click OK to return to the Subscription Properties.
9. Click Select Events to open the Query Filter and enter the following to prepare the remote server to forwards all application events from the last 24 hours:
   Logged: Last 24 hours
   Check all Event levels
   Select By log
   Effect logs: Select Application from the drib-down listing
   
10. Click OK to return to the Subscription Properties.
11. Click Advanced to open the Avant-garde Subscription Settings and enter the following:
    Select Motorcar Account
    Select Minimize Latency
    Protocol: HTTP
    Port: 5985
    
    
12. Click OK to return to the Subscription Backdrop.
13. Click OK to shut.

The Subscription node in the collector calculator result viewer at present shows the new subscription.

Verify Events on Collector Estimator

Select Forwarded Events from the Navigation pane on the collector calculator.

The Computer column in the Details pane indicates the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM. You can enable or disable the collector subscription by right-clicking on the subscription and choosing Disable. The condition of the subscription is then shown every bit disabled in the main window. An active collector subscription does not mean it is succeeding. To see if the collector can connect to the source, right-click on the subscription and select Runtime Status. In this example, the collector can't connect to the source. By default, information technology retries every five minutes.

If all is OK, Subscription Runtime Status shows a light-green tick with an active condition.

Create a Custom View (Optional)

One time the events are forwarded, you can create custom views to see the consolidated events. For instance, you lot might create a custom view for error events. This example creates a custom view for SQL Server–related letters. A collector computer may host thousands of records from dozens of servers. Using a custom view enables you to create social club from an overload of information. For detailed steps, see the section Creating a Custom View in Windows Logging Basics .

Windows Logging Services

At that place are several Windows services you lot can use to centralize all your logging information to an external logging service. These services transport logs over syslog to a cross-platform log server or cloud-based logging service similar SolarWinds^® Loggly^®.

We recommendNXLog, a popular, freely downloadable service that runs in the background. Alternately, in that location issyslog-ng and Snare, which are services that collect your log files. All these services provide additional professional support for a fee.

Install NXLog

This case installs and configures NXlog to package your log files.

Download and install the electric current version of NXlog. The download includes an intuitive installer. Once the installation is complete, open the configuration file. Past default, the NXLog configuration file is located at C:/Program Files (x86)/nxlog/conf/nxlog.conf

You tin can create different types of configuration modules.

• Inputs for the source of your logs
• Outputs for where to send the logs
• Routes to map your inputs to your outputs

Whenever you make changes to the NXlog configuration file, you must restart the NXlog service.

Configure NXLog

This example modifies the NXLog configuration file to centralize your Windows event logs. Adding the code snippet below to the end of your nxlog.conf file enables the module and gives it the name "eventlog". The im_msvistalog input module sends new entries to the Windows event log, including arrangement, hardware, application, and security-related events.

# Windows Event Log  <Input eventlog>  # Uncomment im_msvistalog for Windows Vista/2008 and later  Module im_msvistalog  # Uncomment im_mseventlog for Windows XP/2000/2003  # Module im_mseventlog  # If you prefer to transport events as JSON data  Exec $Message = to_json();  </Input>

File Logs

NXLog tin be used to read logs files stored on a drive. In this example, the file name is FILE1. SavePos TRUE means that NXLog will track its current location in the log file on go out. Exec $Message = $raw_event means NXLog volition ingest the raw log message without applying whatever additional formatting. The file name tin can also include directories or wild cards.

<Input FILE1>  Module im_file  File "FILE1"  SavePos True  Exec $Bulletin = $raw_event;  </Input>

IIS Logs

Every bit we covered in the Windows Logging Basics section, IIS logs contain access logs stored in W3C format. We recommend you convert them to JSON format for easy processing by a log management tool. NXLog can do this conversion using the W3C extension. Brand sure y'all use the proper format in the configuration file, so the parsing happens correctly, and you are including log files from all your sites.

<Extension w3c>  Module xm_csv  Fields $date, $time, $due south-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $south-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-condition, $sc-substatus, $sc-win32-condition, $time-taken  FieldTypes string, string, string, cord, string, string, integer, string, string, string, string, integer, integer, integer, integer  Delimiter ' '  QuoteChar '"'  EscapeControl FALSE  UndefValue -  </Extension>  # Convert the IIS logs to JSON and use the original event time  <Input IIS_Site1>  Module    im_file  File    "C:/inetpub/logs/LogFiles/W3SVC1/u_ex*"  SavePos  Truthful  Exec if $raw_event =~ /^#/ drop();  else  {  w3c->parse_csv();  $SourceName = "IIS";  $Message = to_json();  }  </Input>

SQL Server Mistake Logs

SQL Server is Microsoft'due south enterprise-class flagship database platform. It comes in a suite of database and information warehouse tools. SQL Server typically has its own logs saved in the awarding's installation directory in the Windows file arrangement. The default location for SQL Server 2012 is C:/Programme Files/Microsoft SQL Server/MSSQL11.MSSQLSERVER/MSSQL/Log. The log entries are besides sent to the Windows application consequence log.

SQL Server operations like backup and restore, query timeouts, or tiresome I/Os are therefore easy to discover from Windows awarding event log, while security-related letters similar failed login attempts are captured in Windows security event log.

Forwarding Logs to a Server

NXLog can frontwards logs from whatsoever of the inputs described above to an external destination such as a log server or deject-based log management service. To do this, NXLog uses concepts called Outputs and Routes. Outputs are modules that provide functionality for sending logs to a destination, such as a file or remote server. Routes are the paths that a log message takes from an input (such as the im_msvistalog module) to an output (such as a log direction service).

To frontward logs, add an output module in your nxlog.conf configuration file. Then add a Road module to send logs from your chosen inputs to your called outputs. In this example, we are sending logs every bit syslog over TCP to the host HOSTNAME over the default syslog port 514. We create a route that takes logs from the eventlog input and sends it to the new output (named out):

<Output out>  Module om_tcp  Host HOSTNAME  Port 514  </Output>  <Route ane>  Path eventlog => out  </Route>

Several log direction solutions offer specific setup instructions for Windows logging. Loggly is an instance of 1 provider and has more detailed information virtually setting up NXLog to gather your log files in their guide, Logging from Windows.

Encrypting Logs with TLS

By default, logs sent over the Internet are transmitted in clear text. This ways snoopers tin intercept and view your log information. Information technology is best practice to encrypt your log information when information technology'due south in transit, especially if information technology contains sensitive information similar personal identification details, authorities-regulated data, or financial information. The well-nigh mutual protocol for encrypting syslog advice is TLS, or Send Layer Security.

TLS encrypts your logs, preventing anyone from snooping on sensitive information in your logs. All-time practice is not to log information like passwords, but some applications do it anyway. TLS encryption helps proceed this data safer. Encryption prevents malicious parties located between your log sources and destinations from reading or modifying your log data.

Here is an case setting up NXLog configuration with TLS encryption for Loggly.

1. Download Loggly's digital certificate from the NXLog TLS configuration page.
2. Copy the digital certificate file to your NXLog cert directory:
   copy loggly_full.crt C:/Program Files*/nxlog/cert
3. Configure your output module with om_ssl and the certificate location. The default syslog port for encrypted logs is 6514. AllowUntrusted Simulated prevents a connection to the server if the certificate is untrusted or self-signed:

   <Output out> Module om_ssl Host server.example.com Port 6514 CAFile %CERTDIR%/case.crt AllowUntrusted Fake <Output>

How do you lot centralize your logs? Add a comment to let us know!

friendtherinceple.blogspot.com

Source: https://www.loggly.com/ultimate-guide/centralizing-windows-logs/

Share this post