DEV Community

Cover image for Stream Windows Event Logs to Cloudwatch
Wajahat Ali Abid
Wajahat Ali Abid

Posted on

Stream Windows Event Logs to Cloudwatch

I received a requirement for sending Windows event logs to Amazon Cloudwatch because we wanted to monitor user activity on various Windows servers in our environment. There can be various other use cases for this requirement, however we will focus on setting up Windows event logs to Cloudwatch in this article.

To achieve this, we first need to install Amazon Cloudwatch Agent and then configure the server to push logs to Cloudwatch Logs.

Install Cloudwatch Agent

There are a couple of ways you can install Amazon Cloudwatch Agent on your servers.

Windows Services app showing Cloudwatch Agent running

Configure Iam Role

Create a policy CloudwatchAgentPolicyForWindowsLogging with following body



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudwatchLogsStatement",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs",
                "arn:aws:logs:us-west-2:123456789012:log-group:windows-event-viewer-logs:log-stream:*"
            ]
        }
    ]
}


Enter fullscreen mode Exit fullscreen mode

Attach this policy to any server you want to enable Cloudwatch Logs on.

Configure Cloudwatch Agent

Go to C:\Program Files\Amazon\AmazonCloudWatchAgent and create a file config.json

Required directory open showing config.json file

Add logs section to Amazon Cloudwatch Agent configuration file.



{ 
    ...,
    "logs": {
        "logs_collected": {
            "windows_events": {
                "collect_list": [
                    {
                        "event_format": "xml",
                        "event_levels": [
                            "VERBOSE",
                            "INFORMATION",
                            "WARNING",
                            "ERROR",
                            "CRITICAL"
                        ],
                        "event_name": "System",
                        "log_group_name": "windows-event-viewer-logs",
                        "log_stream_name": "{instance_id}/System",
                        "retention_in_days": 365
                    },
                    {
                        "event_format": "xml",
                        "event_levels": [
                            "VERBOSE",
                            "INFORMATION",
                            "WARNING",
                            "ERROR",
                            "CRITICAL"
                        ],
                        "event_name": "Security",
                        "log_group_name": "windows-event-viewer-logs",
                        "log_stream_name": "{instance_id}/Security",
                        "retention_in_days": 365
                    }
                ]
            }
        }
    }
}


Enter fullscreen mode Exit fullscreen mode

Open Powershell and run the following command



> cd 'C:/Program Files/Amazon/AmazonCloudWatchAgent/'
> ./amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json -s


Enter fullscreen mode Exit fullscreen mode

Showing output of above command

Start the Amazon Cloudwatch Agent Service and after some time, you'll see log stream created in the log group windows-event-viewer-logs.

Verify

Open Cloudwatch Logs and open the log group windows-event-viewer-logs.

CloudWatch log group windows-event-viewer-logs

Top comments (0)