Will LEM import logs collected using Windows Log Forwarding?
Here's another approach at this answer. I don't think people here are aware of this feature - it's something within Windows where you can have Windows systems actually forward Event Logs to a central Windows Server, which would then be running the agent. It's kind of like doing agent less collection without SolarWinds having to build it into LEM directly. It can be complicated to set up and do reliably, but if you get it working, the event logs will end up on some central server.
As long as the forwarded logs are rolled up into the "Application" "Security" "System" (and other named logs) that LEM collects, they will automatically be picked up, and you'll see the DetectionIP change to the original source. If they get separated out or only appear in differently named logs, the LEM team would have to do some work to make it happen.
PS: I should mention, there are still benefits to using local collection with an agent - active response, USB defender, reliable encrypted communication, etc.
You can't forward Windows logs to LEM with the Windows Log Forwarding. Please use the LEM Agent.
To clarify, if I am running an agent on the server that is receiving log subscriptions; will LEM pick up the subscribed logs?
Maybe this SolarWinds tool would help
Download a FREE trial of Event Log Forwarder for Windows from SolarWinds
So, you are attempting to have LEM grab logs from a correlation server?
Not a correlation server. Windows has an event forwarding option. Essentially, workstations will forward windows logs (application, security, system) to a collector, in my case a server. Those logs are stored on the server. I was trying to find out if the LEM agent on the server will collect the logs and send them to the LEM server.
Thanks, I did look into that, I am trying to find a way to collect logs agentless if possible.
So you'll need to have the agent on the server you want to collect the logs from, and then setup your Windows [Application, Security, System] Log Connectors. I do this on my Domain Controllers to monitor logon/logoff events. Let me know if you need more help w/ this.
To collect logs from a Windows workstation or a server, you will need to install the LEM agent on it. You will not be able to forward to a central server, and collect from that.
There are various options to deploy LEM agents to multiple machines
- The remote installer that is shipped with the product. You will simply need to supply an IP list to target
- Windows Image: How to include the LEM Agent in a Windows image
- Silent install: SolarWinds Knowledge Base :: Using the SolarWinds LEM Local Agent Installer non-interactively
Thanks, that's what I was getting at. I am testing the log forwarding and have been all week. I had come to the same conclusion as your post. When I changed the destination log to the Windows default logs of the collected then all was good. I have to go back and take a look at LEM as I haven't specifically looked to see if my test events went through with the originators workstation name.
I do know however that if you turn the "Computer" column on in the Windows Event Viewer then the log IS associated to the sending computer.
As for the agent benefits, I do agree. The issue I am trying to work around is having agents on our critical servers where possible. We like to keep our servers as light weight as possible and so if I can get those logs without an agent then there is a big benefit for us. As for USB defender, we have another solution to capture those events.
Thank you for your response and confirming some of what I thought I had learned in this testing.
Would using Windows Event forwarding to a central server which has the log forwarder save on LEM agent licenses?
No
