Windows host - agent based solution

Axoflow provides a customized OpenTelemetry Collector distribution to collect data from Microsoft Windows hosts.

Prerequisites

The Axoflow OpenTelemetry Collector supports the following Windows versions:

  • Windows Server 2025
  • Windows Server 2022
  • Windows 11
  • Windows 10

Installation

  1. Download the installation package for your platform form the Assets section of the release. We provide MSI installers and binary releases for amd64 and arm64 architectures.

  2. Run the installer. The installer installs:

    • the collector agent (by default) to C:\Program Files\Axoflow\OpenTelemetry Collector\axoflow-otel-collector.exe, and
    • a default configuration file (C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml) that must be edited before use.

Configuration

If you have already installed the agent, complete the following steps to configure it.

  1. Open the configuration file (C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml).

  2. Set the IP address and port of the AxoRouter host where you want to send data from this Windows host. Use the IP address and port of the AxoRouter OpenTelemetry connector (for example, 10.0.2.2:4317). Here’s how to find the IP address of your AxoRouter. (By default, every AxoRouter has an OpenTelemetry connector enabled.)

    exporters:
  otlp/axorouter:
    endpoint: 10.0.2.2:4317
    tls:
      insecure: true

  3. (Optional) Customize the Event log sources. The default configuration collects data from the following channels:

    • application,
    • security,
    • system.

    To include additional channels:

    1. Add a new windowseventlog receiver under the receivers section, like this:

      receivers:
  windowseventlog/<CHANNEL_NAME>:
    channel: <CHANNEL_NAME>
    raw: true

    2. Include the new receiver in a pipeline under the service.pipelines section, for example:

      service:
  pipelines:
    logs/eventlog:
      receivers: [windowseventlog/application, windowseventlog/system, windowseventlog/security, windowseventlog/<CHANNEL_NAME>]
      processors: [resource/agent, resourcedetection/system]
      exporters: [otlp/axorouter]

  4. (Optional) Configure collecting DNS logs from the host.

    1. Check the path of the DNS log file by running with the following PowerShell command:

      (Get-DnsServerDiagnostics).LogFilePath

    2. Enter the path into the receivers.filelog/windows_dns_debug_log.include section of the configuration file. Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DNS\\dns.log.

      receivers:
  filelog/windows_dns_debug_log:
    include: ['<ESCAPED_DNS_LOGFILE_PATH>']
    ...

  5. (Optional) Configure collecting DHCP logs from the host.

    1. Check the path of the DHCP log files by running with the following PowerShell command:

      (Get-DhcpServerAuditLog).Path

      DHCP server log files usually start with the DhcpSrvLog (for IPv4) or the DhcpV6SrvLog (for IPv6) prefixes.

    2. Enter the path of the IPv4 log files without the filename into the receivers.filelog/windows_dhcp_server_v4_auditlog.include section of the configuration file.

      Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DHCP\\.

      receivers:
  filelog/windows_dhcp_server_v4_auditlog:
    include: ['<ESCAPED_DHCP_SERVER_LOGS_PATH>\\DhcpSrvLog*']
    ...

  filelog/windows_dhcp_server_v6_auditlog:
    include: ['<ESCAPED_DHCPV6_SERVER_LOGS_PATH>\\DhcpV6SrvLog*']
    ...

    3. Enter the path of the IPv6 log files without the filename into the receivers.filelog/windows_dhcp_server_v6_auditlog.include section of the configuration file.

      Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DNS\\dns.log.

  6. Save the file.

  7. Restart the service.

    Restart-Service axoflow-otel-collector

    The agent starts sending data to the configured AxoRouter.

  8. Add the Windows host where you’ve installed the OpenTelemetry Collector to Axoflow Console as a data source.

    1. Open the Axoflow Console.

    2. Select Topology > + > Source.

      Add appliance as source

    3. Select Microsoft Windows as the type of the source.

      Select data source

    4. Set the IP address and the host name (FQDN) of the host.

    5. Select Create.

  9. Create a flow between the data source and the OpenTelemetry connector of AxoRouter. You can use the Select messages processing step (with the meta.connector.type = otlp and meta.product =* windows query) to route only the Windows data received by the AxoRouter OpenTelemetry connector to your destination.

    Route Windows data that’s received by the AxoRouter OpenTelemetry connector to your destination

Metadata fields

The AxoRouter connector adds the following fields to the meta variable:

field value
meta.connector.type otlp
meta.connector.name <name of the connector>
meta.product `windows