Ship Windows logs

Winlogbeat (recommended)
NXLog

Windows + Winlogbeat setup

You’ll need: Winlogbeat

Download the Logz.io certificate

For HTTPS shipping, download the Logz.io public certificate to your machine. We’ll place the certificate in C:\ProgramData\Filebeat\COMODORSADomainValidationSecureServerCA.crt for this example.
Configure Windows input

In the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add this code block to the root level.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.
```
fields:
  logzio_codec: json
  token: <<SHIPPING-TOKEN>>
  type: wineventlog
fields_under_root: true
```
Add Logz.io as an output

If Logz.io is not an output in the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add it now.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.
```
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Filebeat\COMODORSADomainValidationSecureServerCA.crt']
```

Remove remaining default blocks

If the output.elasticsearch and setup.template.settings blocks are still in the configuration file, remove them.

# Remove this block if it's still in the config file
setup.template.settings:
  index.number_of_shards: 3

# Remove this block if it's still in the config file
output.elasticsearch:
  hosts: ["localhost:9200"]

Restart Winlogbeat

PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat

Check Logz.io for your logs

Give your logs a few minutes to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.

Windows + NXLog setup

You’ll need: NXLog

Configure NXLog basics

Copy this code into your configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf by default).

define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
</Extension>

Add Windows as an input

Add an Input block to append your account token to log records.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.

<Input eventlog>

# For Windows Vista/2008 and later, set Module to `im_msvistalog`. For
#  Windows XP/2000/2003, set to `im_mseventlog`.
    Module im_msvistalog

    Exec if $raw_event =~ /^#/ drop();
    Exec convert_fields("AUTO", "utf-8");
    Exec    $raw_event = '[<<SHIPPING-TOKEN>>][type=wineventlog]' + $raw_event;
</Input>

Add Logz.io as an output

Add the Logz.io listener in the Output block.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.
```
<Output out>
    Module  om_tcp
    Host    <<LISTENER-HOST>>
    Port    8010
</Output>
<Route 1>
    Path eventlog => out
</Route>
```

Restart NXLog

PS C:\Program Files (x86)\nxlog> Restart-Service nxlog

Check Logz.io for your logs

Give your logs a few minutes to get from your system to ours, and then open Kibana.