How to collect historic logs from Windows devices in EventLog Analyzer
Objective
When a Windows device is onboarded in EventLog Analyzer, log collection starts from the moment of onboarding. To retrieve Windows event logs generated before the onboarding, you can use the following methods:
- Historic log collection: Can be used during device onboarding to collect all logs available in Event Viewer.
- Log import: Can be used to collect archived Event Viewer log files after onboarding the device.
Prerequisites
For enabling historic log collection:
- Logs must be present in Event Viewer.
- Required user and network permission to add the Windows device.
- Regular license as needed for adding a Windows log source.
For log import:
- One Application license for each log file imported.
- The necessary ports and permissions to perform log import (see chart below).
| PORTS | INBOUND | OUTBOUND | SERVICE | Additional rights and permissions |
| TCP/137 | Target device | EventLog Analyzer server | NetBIOS name resolution RPC/named pipes (NP) | User permissions:
|
| TCP/138 | Target device | EventLog Analyzer server | NetBIOS datagram | |
| TCP/139 | Target device | EventLog Analyzer server | NetBIOS session RPC/NP | |
| TCP/445 | Target device | EventLog Analyzer server | SMB RPC/NP |
Steps to follow
Enabling historic log collection
The historic log collection option is used in EventLog Analyzer to collect all the logs present in Windows Event Viewer (i.e., Application, Security, and System events) during device onboarding.
To enable historic log collection, navigate to Settings > Configuration > Manage Devices > Add Devices. Select the device, click the Historic Log Configuration icon in the top-right corner to enable historic log collection, and click Add.
Figure 1: The Historic Log Collection icon in the Add device window when discovering the computer objects via domain.
Figure 2: The Historic Log Collection icon when adding the device manually.
Log import
If you have already onboarded the device and the log collection is happening as intended over a period of time, you can load the Windows Event Viewer archives using log import.
With log import, you can import the EVT/EVTX format for the local path or shared path and associate it with a device.
The logs can be imported in two ways:
Local path:
With this option, you can import log files from any device on which you access the EventLog Analyzer console.
- Click Browse and select the EVT/EVTX file(s) that you would like to import.
- The log format will be auto-identified or can be selected as a Windows Archive File.
- Click the + button and OK to select the device that the log file is associated with. You can also enter the name of the device or select the device from the pop-up window.
- If you wish to store the imported logs for only two days, enable the Store logs for a short term option. By default, the log storage time-period is 32 days.
- Click Import.
- Once the import is completed, the data will be visible with available predefined parser, and you can view the data based on the timestamp recorded in the log message.
Remote path:
Importing log files from a remote path in EventLog Analyzer requires authentication. This authentication can be achieved in two ways:
Authentication type: Username and password
- Click the + Import Logs option in the top right corner of the screen.
- In the Browse File(s) section, select Remote Path tab.
- In the Device field, enter the device name from which you wish to import the log file or click the + icon to browse for and select the Windows device.
- In the Protocol drop-down, choose the required protocol, SMB-Windows or FTP and SFTP, and enter the port number.
- Provide the Username of the remote device and the Password field will pop-up.
- Enter the Password in the field.
- Use the Browse button to browse for and select the file to be imported and click OK.
- The Store Logs for Short-term option will store the imported log data in EventLog Analyzer for two days. If the option is left unchecked, the logs will be stored as per your data retention configuration.
Authentication type: SFTP-based SSH private key file sharing
- From the Browse File(s) options listed, select Remote Path.
- In the Device field, enter the device name from which you wish to import the log file. Alternatively, you can click the + icon to browse for and select the Windows device.
- Choose SFTP as the protocol and enter the port number (default port value is 22).
- Provide the Username and choose Key File as the Authentication Type.
Note: EventLog Analyzer supports OpenSSH key file format only.
- Click Browse and select the key file from the device. You can refer to this page to learn how to generate a key file with ssh-keygen, a standard component of Secure Shell protocol.
- If the key file is passphrase protected, select the Use Passphrase check box and enter the phrase in the field.
- In the File field, click the Browse button to browse for and select the file to be imported.
- The Store Logs for Short-term option will store the imported log data in EventLog Analyzer for two days. If the option is left unchecked, the logs will be stored as per your data retention configuration.
- Click Import to save the configuration.
Figure 3: A successful import of Security.evtx file from two machines done via the local import and remote import option.
Tips
- If there's an interruption in the log collection due to any environmental factors:
- The application resumes the log collection if the events are available in the Event Viewer in agentless log collection.
- For agent-based log collection, the agent can perform log collection locally and forward it to EventLog Analyzer server once connection is established. To do this, navigate to Agent Settings, enable Offline log collection, and define the maximum storage limit.
- Log import consumes one Application license for each import performed. If you are importing for auditing needs, you can select the Store Logs for Short-term option, which will store the imported log data in EventLog Analyzer for two days. If the option is left unchecked, the logs will be stored as per data retention configuration.
- Log import for EVT/EVTX is available for direct import only.
- Both historic log collection and log import of EVT/EVTX are available in the EventLog Analyzer Windows instance only.
Related topics and articles
New to ADSelfService Plus?
Related Articles
Enabling historic log collection in EventLog Analyzer
EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...How to install the EventLog Analyzer agent on Windows devices: Manual installation
Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...How to install EventLog Analyzer Agent on Windows Devices using Microsoft SCCM
Overview EventLog Analyzer requires agents in specific scenarios to ensure proper log collection and file monitoring: Windows File Server Monitoring: Agent is required for monitoring files in Windows file servers. RPC connectivity issues: If RPC ...How to install the EventLog Analyzer agent on Windows devices using a GPO
Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...RPC server unavailable in EventLog Analyzer while collecting logs
Issue description The "RPC Server Unavailable" error occurs in EventLog Analyzer when it fails to establish a remote connection with a Windows server or workstation using RPC, WMI, or DCOM services. This issue typically arises due to network ...