Stream Windows Event Logs to Cloudwatch

I received a requirement for sending Windows event logs to Amazon Cloudwatch because we wanted to monitor user activity on various Windows servers in our environment. There can be various other use cases for this requirement, however we will focus on setting up Windows event logs to Cloudwatch in this article.

To achieve this, we first need to install Amazon Cloudwatch Agent and then configure the server to push logs to Cloudwatch Logs.

Install Cloudwatch Agent

There are a couple of ways you can install Amazon Cloudwatch Agent on your servers.

• Using the CLI
• Using AWS Systems Manager

Configure Iam Role

Create a policy CloudwatchAgentPolicyForWindowsLogging with following body

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudwatchLogsStatement",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs",
                "arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs:log-stream:*"
            ]
        }
    ]
}

Attach this policy to any server you want to enable Cloudwatch Logs on.

Configure Cloudwatch Agent

Go to C:\Program Files\Amazon\AmazonCloudWatchAgent and create a file config.json

Add logs section to Amazon Cloudwatch Agent configuration file.

{ 
    ...,
    "logs": {
        "logs_collected": {
            "windows_events": {
                "collect_list": [
                    {
                        "event_format": "xml",
                        "event_levels": [
                            "VERBOSE",
                            "INFORMATION",
                            "WARNING",
                            "ERROR",
                            "CRITICAL"
                        ],
                        "event_name": "System",
                        "log_group_name": "windows-event-viewer-logs",
                        "log_stream_name": "{instance_id}/System",
                        "retention_in_days": 365
                    },
                    {
                        "event_format": "xml",
                        "event_levels": [
                            "VERBOSE",
                            "INFORMATION",
                            "WARNING",
                            "ERROR",
                            "CRITICAL"
                        ],
                        "event_name": "Security",
                        "log_group_name": "windows-event-viewer-logs",
                        "log_stream_name": "{instance_id}/Security",
                        "retention_in_days": 365
                    }
                ]
            }
        }
    }
}

Open Powershell and run the following command

> cd 'C:/Program Files/Amazon/AmazonCloudWatchAgent/'
> ./amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json -s

Start the Amazon Cloudwatch Agent Service and after some time, you'll see log stream created in the log group windows-event-viewer-logs.

Verify

Open Cloudwatch Logs and open the log group windows-event-viewer-logs.