Collect and Forward Windows Events#
rsyslog Windows Agent is primarily used to collect Windows-originated events through configured input services and forward them to rsyslog or another downstream receiver.
What the product collects#
The most common sources are:
Windows Event Log channels
text-based application log files
incoming syslog messages when the agent is used as a relay
What the product usually does next#
After collection, rsyslog Windows Agent processes the events through a ruleset and then forwards the matching data to another system, most often a central rsyslog server.
Where to configure it#
Services is the entry point for event collection.
Event Log Monitor V2 is the preferred service for modern Windows Event Log channels.
File Monitor is available when you need to watch text-based log files.
Syslog server is available when the agent should relay incoming syslog.
If you run multiple input services, see How Do Port, Address, and Transport Conflicts Work for Input Services? before reusing a transport, IP address, and port combination.
Quick verification#
Configure one collection input service.
Bind it to a ruleset with a visible forwarding action.
Apply the configuration and confirm that new events reach the receiver.