Ingesting specific Windows event source

I’m trying to ingest a specific Windows log from: Microsoft-Windows-TerminalServices-Gateway/Operational logs…looking for EventID 300’s…Is that possible with custom log somehow using agent?
B

This forum is useless.

Here are some previous threads that might help:

Good luck!

2 Likes

It’s a bit annoying that you essentially have to use a third party tool to get the logs the agent should be able of grabbing itself if so configured. Seems like big miss on feature set if I’m being honest. but thank you for the direction.

Hi @bneu

This is a community forum for sharing tips and general discussion around IDR; not necessarily a platform for official support. We do our best to monitor and respond to questions but if you have an urgent question it’s a good idea to submit a ticket to our support team.

Micah has the right idea, there are third party tools which can do this mentioned in the other threads. Unfortunately this log cannot be forwarded by the agent as it’s currently it’s not supported; only the classic System, Security and Application logs are.

That said, don’t have to rely on third party tools to do the job; while NXLog is useful, and often a go-to tool for these use-cases, there are other options. You can write a powershell script which reads the events from the log and writes them out to a file. The agent can then tail this file (or a collector) and forward the events to IDR. This can also be be automated by running it as a schedule task.

Now, which is better – the agent or the collector? Logs sent up to IDR via a collector support custom parsing rules. Once data is in IDR you can use the custom parsing tool to extract the logs into key-value pairs which makes searching much easier (as well as building dashboards). Logs forwarded by the agent don’t support custom parsing so you would need to transform the logs - before they’re forwarded by the agent - to a key-value format which may be trickier to do.

If you land on a solution that works, it’d be great if you could share it here with the community so others can make use of it, or even collaborate with you on improving it over time.

Hope you find this helpful!