Integration with Windows
This guide provides instructions to integrate Windows systems with OpenObserve for monitoring logs and metrics.
Overview
Windows systems generate multiple types of monitoring data that are essential for maintaining system health and security. Event logs provide critical insights that support IT operations in troubleshooting, auditing, and compliance. Performance metrics such as CPU usage, memory consumption, disk I/O, network activity, and process-specific data help identify bottlenecks, capacity issues, and resource constraints before they affect users.
Installation Options
OpenObserve offers two powerful approaches for Windows monitoring:
- OpenObserve Collector: A streamlined, all-in-one solution for quick deployment
- OpenTelemetry Collector: A customizable approach for advanced configurations
Steps to integrate
The OpenObserve Collector provides a simple, one-command installation that automatically collects both Windows Event Logs and Performance Metrics.
Prerequisites
Before we begin, ensure you have:
- A Windows machine such as Windows 10/11 or Windows Server
- Administrator access to install and configure services
- Access to an OpenObserve instance, either cloud or self-hosted
Steps
- Log in to your OpenObserve instance.
- Navigate to Data Sources > Recommended > Windows.
- Copy the provided PowerShell command.
- Open PowerShell as Administrator and execute the command:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/openobserve/agents/main/windows/install.ps1 -OutFile install.ps1 ; .\install.ps1 -URL https://your-openobserve-instance.com/api/default/ -AUTH_KEY YOUR_API_KEY
Upon successful execution of the above command, the OpenObserve Collector will:
- Install as a Windows service that starts automatically.
- Collect logs from Windows Event Log such as Application, System, Security.
- Collect metrics from Windows Performance Counters.
- Forward all data to your OpenObserve instance.
For more advanced configurations or if you're already using OpenTelemetry in your environment, you can use the OpenTelemetry Collector with the Windows Event Log Receiver.
- Setting Up the OpenTelemetry Collector
First, set up the OpenTelemetry Collector:
Create a directory for the collector Download the latest collector contrib distribution Extract the archive - Configure the OpenTelemetry Collector
Create a file named config.yaml in the
C:\otel-collector
directory with the following content:Replace https://your-openobserve-instance.com/api/default with your OpenObserve endpoint and YOUR_API_KEY with your actual API key. - Run the OpenTelemetry Collector To run the OpenTelemetry Collector as a Windows service, you can use the New-Service PowerShell cmdlet or the SC command-line tool.
Advanced Configuration Options
Here are some practical configurations to enhance your Windows monitoring:
Filtering Security Events
Security logs can be voluminous. Focus on critical events by using XPath queries:
This configuration captures only login successes (4624), login failures (4625), logouts (4634), explicit credential uses (4648), and special privilege assignments (4672).Remote Collection for Multiple Servers
For centralized monitoring of multiple servers:
Troubleshooting
If you encounter issues with your Windows monitoring setup:
- Verify OpenObserve Collector Installation: Check if the OpenObserve Collector service is running with
Get-Service -Name "OpenObserveAgent"
. - Check Permissions: The service account must have administrative privileges to access Windows Event Logs and Performance Counters.
- Test Connectivity: Ensure your server can reach your OpenObserve instance with
Test-NetConnection -ComputerName your-openobserve-instance.com -Port 443
. - Review Event Log Access: For security logs, ensure the service account has the Manage auditing and security log right.