Windows OS Events Insight Pack

The Windows OS Event Insight pack allows users of IBM® Operations Analytics - Log Analysis, in conjunction with the Tivoli Log File Agent or logstash, to gather and process Windows OS Events.

This document describes the version of the Windows OS Events Insight Pack that is installed when you install IBM Operations Analytics - Log Analysis. An updated version of the Windows OS Events Insight Pack may have been published after this version of IBM Operations Analytics - Log Analysis. To download the latest versions of this Insight Pack as well as updated documentation, see http://www.ibm.com/developerworks/servicemanagement/downloads.html.

Two separate data gathering mechanisms are supported, the Tivoli Log File Agent and logstash.

The IBM Operations Analytics - Log Analysis Windows OS Events Insight Pack is built using the IBM Operations Analytics - Log Analysis DSV Toolkit.

For Windows events gathered by the Tivoli Log File Agent (LFA) and logstash the data is configured into a comma separated format, and indexed and annotated for analysis.

The LFA is an agent that provides a configurable log file monitoring capability using regular expressions. The LFA uses the WINEVENTLOGS configuration (.conf) file option to monitor events from the Windows event log. The agent monitors a comma-separated list of event logs as shown in the following example:

WINEVENTLOGS=System,Security,Application

logstash has a supported input module named eventlog, http://logstash.net/docs/1.2.2/inputs/eventlog, which pulls events from the Windows Events Logs. The events are then forwarded using the output module available in the logstash Integration Toolkit to the IBM Operations Analytics - Log Analysis EIF Receiver.