Adding Windows Events Logs from Multiple Machines

XpoLog provides a wizard that helps adding Windows Event logs from multiple machines based on an external configuration XML file.

Please follow the below steps:

Import Windows Event logs templates package into your XpoLog:
1. Download the package here: Windows Event Logs Templates (do not extract)
2. Go to XpoLog>Configuration>Import Templates, select the zip file and save
3. XpoLog will import the templates of Application, Security and System Windows Event Logs

Prepare the Wizard:

Download the package here: Windows Event logs XpoLog Package and extract it on your desktop

Edit the following files:

logsAdminClient.properties:
xpologURL - should be the URL to your XpoLog instance. For example if you extracted it on the same machine that you are using to run XpoLog, use this: http://localhost:30303/logeye
user / password - should be the administrator user of XpoLog in case security is activated (admin/admin by default) or leave empty if security is not active
configFile - should be the configuration XML file (by default: logsAdminConfigurationWizard.xml)

logsAdminConfigurationWizard.xml:
For each server that you wish to add it's Windows Event logs enter it's name under the <server> tag - the example contains 2 entries of servers which should be modified (add more / remove based on the machines in your environment)

DirectoryScanner XML General Structure

The following is the XML code of DirectoryScanner.

<ConfigurationWizard>
     <Defaults>
         <LogsGroup> 
             <Log logTemplate="" />
             <Log logTemplate="" />
             <Log logTemplate="" />
        </LogsGroup>
        <Server targetName="" accountName="" >
            <LogsGroup target="" />
        </Server>
        <Server targetName="" >
            <LogsGroup target="" />
        </Server>
    </Defaults>
    <Servers>
        <Server target="" name="" collectionPolicy="" displayName="" />
        <Server target="" name="" collectionPolicy="" displayName="" />
    </Servers>
</ConfigurationWizard>

The following table describes the general structure of ConfigurationWizard.

Tag Path	Mandatory/Optional	Description
Defaults	Mandatory
Defaults/LogsGroup	Mandatory	Contains the target name to use, logs names that will created, the location in the XpoLog Folders and Logs tree and the application which logs are tagged to when created.
Defaults/LogsGroup/Log	Mandatory	The templates which will be used on each server to add the logs.
Defaults/Server	Mandatory	Contains a target of server. If needed a the connectivity account that should be used to connect to a remote Windows server can be specified (Creating an Account).
Servers	Mandatory	Contains the list of servers which will be scanned.
Servers/Server	Mandatory	Contains the target that should be used in the server, server hostname/ip address, collection policy which will be tagged to the server's log and a server display name.

XML Reference

Defaults/LogsGroup

Parameter	Mandatory/Optional	Description	Values
targetName	Mandatory	The name of the target of this LogsGroup.	String
logNameStructure	Mandatory	The name structure of the logs that will created. Available placeholders that can be used: [TEMPLATE_NAME], [SERVER_NAME], [displayName]	String
folderNameStructure	Mandatory	The folder name and location that the logs will be tagged to in XpoLog's folders and logs tree. Root = Top Folder -> = separator to the next folder in the hierarchy Available placeholders that can be used to tag/create folders: [TEMPLATE_NAME], [SERVER_NAME], [displayName]	String
applications	Optional	The name of the application which the logs will be tagged to. Leave empty or remove in order not to tag logs to an application	String
Log/logTemplate	Mandatory	The exact name of the template which will be used to create the log	String

Example

<LogsGroup targetName="default" logNameStructure="[displayName] [TEMPLATE_NAME]" folderNameStructure="Root-&gt;[displayName]" applications="Windows Event Logs" > 
    <Log logTemplate="Application" />
    <Log logTemplate="Security" />
    <Log logTemplate="System" />
</LogsGroup>

Defaults/Server

Parameter	Mandatory/Optional	Description	Values
targetName	Mandatory	The name of the target of this server.	String
accountName	Optional	If a connectivity account should be used to connect to a remote Windows server the account name can be specified (Creating an Account)	String
LogsGroup/target	Mandatory	The name of the LogsGroup's target that should be used	String

Example

<Server targetName="AuthAccountEnabled" accountName="AuthAccountName" >
    <LogsGroup target="default" />
</Server>

Servers

Parameter	Mandatory/Optional	Description	Values
Server/target	Mandatory	The target that this server should use	String
Server/name	Mandatory	The ip or hostname of this server	String
Server/collectionPolicy	Optional	The collection policy that will be assigned on logs from this server. If used, the name should be the exact name of an existing collection policy in XpoLog	String
Server/displayName	Optional	The display name of the server. Usually used if the name and the display name of a server are different. The display name placeholder can be used in the folders/logs names structue	String

Example

Verify that JAVA is available on the machine you are running the wizard from:
1. Open the command line console and run 'java' - in case JAVA is installed please proceed to the next step
2. In case JAVA is not installed, please edit the file run.bat and set a path to an available JAVA on the machine from which you're running this wizard from. For example if you are using the Wizard on the same machine that you are running XpoLog on, you can use XpoLog internal JAVA, for example modify the file run.bat and use: "C:\Program Files\XpoLogCenter6\jre\bin\java" instead of 'java'
Run the batch file run.bat
Once done, refresh XpoLog. The result will be a list of folders in XpoLog (one for each server) with the server's Windows Event logs configured under it.