This guide shows you how to send Windows Event Logs from the System and Application channels to SigNoz using the OpenTelemetry Collector.
Key channels typically monitored include:
- Application: Logs events related to applications running on the system.
- Security: Records security-related events such as login attempts and resource access.
- System: Captures events related to system components, drivers, and services.
Prerequisites
- A Microsoft User account with permissions to access Event Logs and Services.
- An instance of SigNoz (either Cloud or Self-Hosted).
Send Logs to SigNoz
Step 1: Add OpenTelemetry Collector Binary
Add the OpenTelemetry Collector binary to your Windows VM/machine by following the OTel binary setup guide.
Step 2: Configure the windowseventlog Receiver
Add the following windowseventlog receivers to the receivers section of your existing config.yaml:
receivers:
windowseventlog/application:
channel: application
windowseventlog/system:
channel: system
Add the SigNoz Cloud exporter to the exporters section:
exporters:
otlp:
endpoint: "https://ingest.<region>.signoz.cloud:443"
headers:
signoz-ingestion-key: "<your-ingestion-key>"
Add the batch processor (if not already present) and enable the receivers in the service.pipelines.logs section:
processors:
batch: {}
service:
pipelines:
logs:
receivers: [windowseventlog/application, windowseventlog/system]
processors: [batch]
exporters: [otlp]
Verify these values:
<region>: Your SigNoz Cloud region.<your-ingestion-key>: Your SigNoz ingestion key.
Learn more about the windowseventlog receiver.
Step 3: Restart the Collector
Save the changes and restart the OpenTelemetry Collector Windows service:
Restart-Service -Name "otelcol-contrib"
The Collector should start without errors and begin tailing the configured channels.
Validate
Once the Collector is running:
- Open SigNoz and navigate to Logs > Logs Explorer.
- Search for logs by filtering on your service or source. Windows Event Logs should start appearing as new events are generated on the machine.
- Click on a log entry and verify it contains the expected fields.
Example Log Output
This is what typical event logs look like after being parsed in SigNoz:
Application Log
{
"body": "{\"channel\":\"Application\",\"computer\":\"logs-windows\",\"event_data\":{},\"event_id\":{\"id\":16384,\"qualifiers\":16384},\"keywords\":[\"Classic\"],\"level\":\"Information\",\"message\":\"Successfully scheduled Software Protection service for re-start at 2024-08-10T18:52:44Z. Reason: RulesEngine.\",\"opcode\":\"0\",\"provider\":{\"event_source\":\"Software Protection Platform Service\",\"guid\":\"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}\",\"name\":\"Microsoft-Windows-Security-SPP\"},\"record_id\":750,\"system_time\":\"2024-08-03T19:29:44.9757970Z\",\"task\":\"0\"}",
"id": "2k2Ud5JPPt8hVRQpgF6gXTxl1Yd",
"timestamp": "2024-08-03T19:29:44.975797Z",
"attributes": {},
"resources": {},
"severity_text": "INFO",
"severity_number": 9,
"span_id": "",
"trace_flags": 0,
"trace_id": ""
}
System Log
{
"body": "{\"channel\":\"System\",\"computer\":\"logs-windows\",\"event_data\":{\"param1\":\"Background Intelligent Transfer Service\",\"param2\":\"auto start\",\"param3\":\"demand start\",\"param4\":\"BITS\"},\"event_id\":{\"id\":7040,\"qualifiers\":16384},\"keywords\":[\"Classic\"],\"level\":\"Information\",\"message\":\"The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.\",\"opcode\":\"0\",\"provider\":{\"event_source\":\"Service Control Manager\",\"guid\":\"{555908d1-a6d7-4695-8e1e-26931d2012f4}\",\"name\":\"Service Control Manager\"},\"record_id\":893,\"system_time\":\"2024-08-03T19:32:41.9476831Z\",\"task\":\"0\"}",
"id": "2k2Ud5JPPt8hVRQpgF6gXTxl1Yf",
"timestamp": "2024-08-03T19:32:41.9476831Z",
"attributes": {},
"resources": {},
"severity_text": "INFO",
"severity_number": 9,
"span_id": "",
"trace_flags": 0,
"trace_id": ""
}
Troubleshooting
Logs are not appearing in SigNoz
- Symptom: No Windows Event Logs appear in Logs > Logs Explorer after configuring the receiver.
- Likely causes:
- The OpenTelemetry Collector service is not running.
- A configuration error in
config.yaml(incorrect receiver name, YAML indentation, or missing pipeline entry). - The Windows machine cannot reach the SigNoz endpoint (
<region>.signoz.cloud:443).
- Fix:
- Verify the Collector service is running:
Get-Service otelcol-contribin PowerShell. - Check the Collector logs (installation directory or Windows Event Viewer) for errors mentioning
windowseventlogorotlp. - Test outbound connectivity:
Test-NetConnection ingest.<region>.signoz.cloud -Port 443.
- Verify the Collector service is running:
- Verification: After applying the fix, restart the Collector and confirm logs appear in Logs > Logs Explorer within a few seconds.
Next Steps
Get Help
If you need help with the steps in this topic, please reach out to us on SigNoz Community Slack.
If you are a SigNoz Cloud user, please use in product chat support located at the bottom right corner of your SigNoz instance or contact us at cloud-support@signoz.io.
