I received a requirement for sending Windows event logs to Amazon Cloudwatch because we wanted to monitor user activity on various Windows servers in our environment. There can be various other use cases for this requirement, however we will focus on setting up Windows event logs to Cloudwatch in this article.
To achieve this, we first need to install Amazon Cloudwatch Agent and then configure the server to push logs to Cloudwatch Logs.
Install Cloudwatch Agent
There are a couple of ways you can install Amazon Cloudwatch Agent on your servers.
Configure Iam Role
Create a policy CloudwatchAgentPolicyForWindowsLogging
with following body
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudwatchLogsStatement",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs",
"arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs:log-stream:*"
]
}
]
}
Attach this policy to any server you want to enable Cloudwatch Logs on.
Configure Cloudwatch Agent
Go to C:\Program Files\Amazon\AmazonCloudWatchAgent
and create a file config.json
Add logs section to Amazon Cloudwatch Agent configuration file.
{
...,
"logs": {
"logs_collected": {
"windows_events": {
"collect_list": [
{
"event_format": "xml",
"event_levels": [
"VERBOSE",
"INFORMATION",
"WARNING",
"ERROR",
"CRITICAL"
],
"event_name": "System",
"log_group_name": "windows-event-viewer-logs",
"log_stream_name": "{instance_id}/System",
"retention_in_days": 365
},
{
"event_format": "xml",
"event_levels": [
"VERBOSE",
"INFORMATION",
"WARNING",
"ERROR",
"CRITICAL"
],
"event_name": "Security",
"log_group_name": "windows-event-viewer-logs",
"log_stream_name": "{instance_id}/Security",
"retention_in_days": 365
}
]
}
}
}
}
Open Powershell and run the following command
> cd 'C:/Program Files/Amazon/AmazonCloudWatchAgent/'
> ./amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json -s
Start the Amazon Cloudwatch Agent Service and after some time, you'll see log stream created in the log group windows-event-viewer-logs
.
Verify
Open Cloudwatch Logs and open the log group windows-event-viewer-logs
.
Top comments (0)