Windows Event Logs on standalone server

Comments

3 comments

  • Avatar
    Jay Schwegler

    Hi David,

    Since the server is not part of a Windows Domain, you'll be using a local machine account for the collector authentication. Under that context, the "domain" is simply the server name (as verified by doing a "set" from a command line). I have not tried this, but can't think of a reason why this wouldn't work. Since each domain\user will be different for each server, you wouldn't be able to combine the multiple servers in a single source.

    Also, see our prerequisite information to prep the server so the collector is able to grab the logs
    https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Remote-Windows-Event-Log-Source/Preconfigure-a-Machine-to-Collect-Remote-Windows-Events

    -Jay

     

    0
    Comment actions Permalink
  • Avatar
    David Day

    I performed a test yesterday in an attempt to pull Windows Event logs from non-domain joined systems located in our DMZ.  This was a test in order to not have to use the specific machine name in the Domain field since that is not a feasible solution in a network that could have 100s of non-domain joined systems.  

    I used the following three options in the Domain field:

    1. %localhost%
    2. .\
    3. localhost

    To my surprise not only did one of these options work but all three options worked and started pulling the Windows Event logs from the non-domain joined servers.  For our deployment I am standardizing on the %localhost% option,

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Jay Schwegler

    Great solution! I am equally surprised.

    I would not have guessed that the %localhost% variable would have been translated in that context.

    ./Jay

    0
    Comment actions Permalink

Please sign in to leave a comment.