Documentation forLog Analyzer

Set up Windows event collection in LA

You can stream, monitor, and alert on Windows event logs from your network devices in LA. From the LA Log Viewer, you can filter Windows events, enable out-of-the-box rules for events, and create custom rules tailored for specific Windows event activity.

During your LA installation or upgrade, install the LA agent plugin with your SolarWinds Orion agent to begin collecting Windows event logs.

Follow the steps below to configure and manage Windows event collection.

Deploy the Orion agent

To collect Windows events, deploy the Orion agent to monitored nodes, and then enable LA to monitor Windows events.

Collect Windows events from unknown nodes

Windows events received from an unknown network node are discarded until you add the device through Node Management.

Collect Windows events from one or more Orion Platform nodes

Enable LA to monitor Windows events from any network node.

Disable Windows event collection from one or more Orion Platform nodes

To stop collecting Windows events, set one or more nodes to Disabled in the Orion Web Console.

Forward Windows events to an Orion agent

Microsoft provides the ability to forward Windows Events from one machine to another. When you forward Windows events to an Orion agent, the events are then sent to LA provided the machine from which the event was forwarded is monitored by the Orion Platform. To set up Windows Event Forwarding, follow the procedures below.

Set up a subscription for forwarding events to an existing agent following Microsoft guidelines:

Ensure that any node configured to forward events does not have the Orion agent installed. Otherwise, you will receive duplicate events.

If you made changes to the default query, ensure the query includes the Forwarded Events channel.

Collect Windows events without deploying the agent

If you choose not to deploy the Orion agent, you can convert Windows events to syslogs with SolarWinds Event Log Forwarder for Windows. Find more information about this free tool here.

If you choose not to install the agent, the following features will not be available:
  • Windows event messages
  • Out-of-the-box rules for Windows events
  • Windows event fields in the Rule Builder
  • Near real-time log collection (unless in Live Mode)

Enable LA agent overload alerts

Enable LA agent overload alerts to receive a notification if the LA agent fails to adequately process events.