Creating an Initial Configuration

Use this page to build the first working rsyslog Windows Agent configuration: collect Windows Event Log events and forward them to an rsyslog receiver.

Goal

At the end of this procedure, rsyslog Windows Agent will:

• monitor one or more Windows event logs

• process matching events through a ruleset

• forward them to a remote rsyslog server

Prerequisites

• rsyslog Windows Agent is installed.

• You can open the rsyslog Windows Agent Configuration Client.

• The rsyslog Windows Agent service is installed on the system.

• You know the destination host, port, and transport mode expected by the receiver.

Steps

1. Create a ruleset.

   • In the rsyslog Windows Agent Configuration Client, create a new ruleset.

   • Leave filtering simple for the first test so that visible events can match.

2. Add one forwarding action to that ruleset.

   • Inside the ruleset, add a Forward Syslog action.

   • Enter the receiver host and port.

   • Choose the transport mode expected by the receiver.

3. Create one event collection service.

   • Under Services, add an Event Log Monitor V2 service.

   • Bind that service to the ruleset you created.

   • Select at least one Windows event log or channel to monitor.

4. Save and apply the configuration.

   • Apply or save the changes in the Configuration Client so the service can use them.

   • Until you apply the changes, the running service continues to use the previous configuration.

5. Start or restart the rsyslog Windows Agent service if required.

How to verify

1. Trigger or wait for a Windows event that should be visible.

2. Confirm that the receiver gets the forwarded event.

3. If nothing arrives, check:

   • the rsyslog Windows Agent service is running

   • the event collection service is enabled

   • the service is bound to the correct ruleset

   • the forwarding action is inside that ruleset

   • the receiver host, port, and transport mode are correct

Expected result

If the configuration is correct, rsyslog Windows Agent reads Windows Event Log data and forwards matching events to the configured receiver.

Next step

• To refine matching behavior, continue with Process and Filter.

• To learn about forwarding options, continue with Store and Forward.