Documentation forLog Analyzer
Analyzing logs is a key capability of Hybrid Cloud Observability and is also available in a standalone module, Log Analyzer (LA). Hybrid Cloud Observability and LA are built on the self-hosted SolarWinds Platform.

Set up Windows event collection in LA

You can stream, monitor, and alert on Windows event logs from your network devices in LA. From the LA Log Viewer, you can filter Windows events, enable out-of-the-box rules for events, and create custom rules tailored for specific Windows event activity.

During your LA installation or upgrade, install the LA agent plugin with your SolarWinds SolarWinds Platform agent to begin collecting Windows event logs.

Follow the steps below to configure and manage Windows event collection.

Deploy the SolarWinds Platform agent

To collect Windows events, deploy the SolarWinds Platform agent to monitored nodes, and then enable LA to monitor Windows events.

Collect Windows events from unknown nodes

Windows events received from an unknown network node are discarded until you add the device through Node Management.

Collect Windows events from one or more SolarWinds Platform nodes

Enable LA to monitor Windows events from any network node.

Disable Windows event collection from one or more SolarWinds Platform nodes

To stop collecting Windows events, set one or more nodes to the Disabled state in the SolarWinds Platform Web Console.

Disabling log monitoring for a node disables receiving messages from all log sources such as syslogs, traps, etc.

Forward Windows events to an SolarWinds Platform agent

Microsoft provides the ability to forward Windows Events from one machine to another. When you forward Windows events to a SolarWinds Platform agent, the events are then sent to LA provided the machine from which the event was forwarded is monitored by the SolarWinds Platform. To set up Windows Event Forwarding, follow the procedures below.

Set up a subscription for forwarding events to an existing agent following Microsoft guidelines:

Ensure that any node configured to forward events does not have the SolarWinds Platform agent installed. Otherwise, you will receive duplicate events.

If you made changes to the default query, ensure the query includes the Forwarded Events channel.

Collect Windows events without deploying the agent

If you choose not to deploy the SolarWinds Platform agent, you can convert Windows events to syslogs with SolarWinds Event Log Forwarder for Windows. Find more information about this free tool here.

If you choose not to install the agent, the following features will not be available:
  • Windows event messages
  • Out-of-the-box rules for Windows events
  • Windows event fields in the Rule Builder
  • Near real-time log collection (unless in Live Mode)

LA agent overload alerts

LA agent overload alerts will send a notification if the LA agent fails to adequately process events. Overload alerts are enabled by default.