Windows host - agent based solution
Axoflow provides a customized OpenTelemetry Collector distribution to collect data from Microsoft Windows hosts.
To collect data from Windows hosts without installing an agent, see Windows Event Collector (WEC)
Alternatively, once deployed on a Windows host, you can configure the Axoflow OpenTelemetry Collector to collect event logs from other Windows hosts and forward them to AxoRouter.
Prerequisites
The Axoflow OpenTelemetry Collector supports the following Windows versions:
- Windows Server 2025
- Windows Server 2022
- Windows 11
- Windows 10
Installation
-
Download the installation package for your platform form the Assets section of the release. We provide MSI installers and binary releases for amd64 and arm64 architectures.
-
Run the installer. The installer installs:
- the collector agent (by default) to
C:\Program Files\Axoflow\OpenTelemetry Collector\axoflow-otel-collector.exe
, and - a default configuration file (
C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml
) that must be edited before use.
- the collector agent (by default) to
Configuration
If you have already installed the agent, complete the following steps to configure it.
-
Open the configuration file (
C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml
). -
Set the IP address and port of the AxoRouter host where you want to send data from this Windows host. Use the IP address and port of the AxoRouter OpenTelemetry connector (for example,
10.0.2.2:4317
). Here’s how to find the IP address of your AxoRouter. (By default, every AxoRouter has an OpenTelemetry connector enabled.)exporters: otlp/axorouter: endpoint: 10.0.2.2:4317 tls: insecure: true
-
(Optional) Customize the Event log sources. The default configuration collects data from the following channels:
application
,security
,system
.
To include additional channels:
-
Add a new
windowseventlog
receiver under thereceivers
section, like this:receivers: windowseventlog/<CHANNEL_NAME>: channel: <CHANNEL_NAME> raw: true
-
Include the new receiver in a pipeline under the
service.pipelines
section, for example:service: pipelines: logs/eventlog: receivers: [windowseventlog/application, windowseventlog/system, windowseventlog/security, windowseventlog/<CHANNEL_NAME>] processors: [resource/agent, resourcedetection/system] exporters: [otlp/axorouter]
-
(Optional) Configure collecting DNS logs from the host.
-
Check the path of the DNS log file by running with the following PowerShell command:
(Get-DnsServerDiagnostics).LogFilePath
-
Enter the path into the
receivers.filelog/windows_dns_debug_log.include
section of the configuration file. Note that you have to escape the backslashes in the path, for example,C:\\Windows\\System32\\DNS\\dns.log
.receivers: filelog/windows_dns_debug_log: include: ['<ESCAPED_DNS_LOGFILE_PATH>'] ...
-
-
(Optional) Configure collecting DHCP logs from the host.
-
Check the path of the DHCP log files by running with the following PowerShell command:
(Get-DhcpServerAuditLog).Path
DHCP server log files usually start with the
DhcpSrvLog
(for IPv4) or theDhcpV6SrvLog
(for IPv6) prefixes. -
Enter the path of the IPv4 log files without the filename into the
receivers.filelog/windows_dhcp_server_v4_auditlog.include
section of the configuration file.Note that you have to escape the backslashes in the path, for example,
C:\\Windows\\System32\\DHCP\\
.receivers: filelog/windows_dhcp_server_v4_auditlog: include: ['<ESCAPED_DHCP_SERVER_LOGS_PATH>\\DhcpSrvLog*'] ... filelog/windows_dhcp_server_v6_auditlog: include: ['<ESCAPED_DHCPV6_SERVER_LOGS_PATH>\\DhcpV6SrvLog*'] ...
-
Enter the path of the IPv6 log files without the filename into the
receivers.filelog/windows_dhcp_server_v6_auditlog.include
section of the configuration file.Note that you have to escape the backslashes in the path, for example,
C:\\Windows\\System32\\DNS\\dns.log
.
-
-
Save the file.
-
Restart the service.
Restart-Service axoflow-otel-collector
The agent starts sending data to the configured AxoRouter.
-
Add the Windows host where you’ve installed the OpenTelemetry Collector to Axoflow Console as a data source.
-
Open the Axoflow Console.
-
Select Topology > + > Source.
-
Select Microsoft Windows as the type of the source.
-
Set the IP address and the host name (FQDN) of the host.
-
Select Create.
-
-
Create a flow between the data source and the OpenTelemetry connector of AxoRouter. You can use the Select messages processing step (with the
meta.connector.type = otlp
andmeta.product =* windows
query) to route only the Windows data received by the AxoRouter OpenTelemetry connector to your destination. -
(Optional) If you want the Windows host to collect data from other hosts without installing separate agents on them, you can configure remote event log collection.
Collect event logs of remote sources
Once you’ve deployed the Axoflow OpenTelemetry Collector on a Windows host, you can configure it to collect event logs from remote Windows hosts and forward them to AxoRouter, without having to install it on these hosts. Complete the following steps.
-
Open the configuration file of Axoflow OpenTelemetry Collector (
C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml
). -
Add a
remote
section to yourwindowseventlog
receiver, like this:receivers: windowseventlog: channel: application remote:
-
Add the credentials that the Axoflow OpenTelemetry Collector can use to access the remote Windows host.
receivers: windowseventlog: channel: application remote: - credentials: username: "my-log-collector-user" password: "my-password" domain: "authentication-domain"
-
Add the address of the remote host under the
servers
key. If the same credentials can be used to access multiple hosts, you can list them.receivers: windowseventlog: channel: application remote: - credentials: username: "my-log-collector-user" password: "my-password" domain: "authentication-domain" servers: - "remote-server-1" - "remote-server-2"
-
You can repeat the
credentials
block to configure other remote hosts with other credentials, for example:receivers: windowseventlog: channel: application remote: - credentials: username: "my-log-collector-user" password: "my-password" domain: "authentication-domain" servers: - "remote-server-1" - "remote-server-2" - credentials: username: "my-other-log-collector-user" password: "my-other-password" domain: "authentication-domain" servers: - "remote-server-3" - "remote-server-4"
-
Save the file.
-
Restart the service.
Restart-Service axoflow-otel-collector
The agent starts sending data to the configured AxoRouter.
-
Add the newly configured hosts to the Axoflow Console. Open the Topology page, select + Source > Detected. The new sources will appear here when AxoRouter starts receiving their logs. Alternatively, you can start log tapping on the AxoRouter that receives the event logs, find the new hosts, and click Register source.
Metadata fields
The AxoRouter connector adds the following fields to the meta
variable:
field | value |
---|---|
meta.connector.type | otlp |
meta.connector.name | <name of the connector> |
meta.product | `windows |