Windows host - agent based solution

Axoflow provides a customized OpenTelemetry Collector distribution to collect data from Microsoft Windows hosts.

Prerequisites

The Axoflow OpenTelemetry Collector supports the following Windows versions:

  • Windows Server 2025
  • Windows Server 2022
  • Windows 11
  • Windows 10

Installation

  1. Download the installation package for your platform form the Assets section of the release. We provide MSI installers and binary releases for amd64 and arm64 architectures.

  2. Run the installer. The installer installs:

    • the collector agent (by default) to C:\Program Files\Axoflow\OpenTelemetry Collector\axoflow-otel-collector.exe, and
    • a default configuration file (C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml) that must be edited before use.

Configuration

If you have already installed the agent, complete the following steps to configure it.

  1. Open the configuration file (C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml).

  2. Set the IP address and port of the AxoRouter host where you want to send data from this Windows host. Use the IP address and port of the AxoRouter OpenTelemetry connector (for example, 10.0.2.2:4317). Here’s how to find the IP address of your AxoRouter. (By default, every AxoRouter has an OpenTelemetry connector enabled.)

    exporters:
      otlp/axorouter:
        endpoint: 10.0.2.2:4317
        tls:
          insecure: true
    
  3. (Optional) Customize the Event log sources. The default configuration collects data from the following channels:

    • application,
    • security,
    • system.

    To include additional channels:

    1. Add a new windowseventlog receiver under the receivers section, like this:

      receivers:
        windowseventlog/<CHANNEL_NAME>:
          channel: <CHANNEL_NAME>
          raw: true
      
    2. Include the new receiver in a pipeline under the service.pipelines section, for example:

      service:
        pipelines:
          logs/eventlog:
            receivers: [windowseventlog/application, windowseventlog/system, windowseventlog/security, windowseventlog/<CHANNEL_NAME>]
            processors: [resource/agent, resourcedetection/system]
            exporters: [otlp/axorouter]
      
  4. (Optional) Configure collecting DNS logs from the host.

    1. Check the path of the DNS log file by running with the following PowerShell command:

      (Get-DnsServerDiagnostics).LogFilePath
      
    2. Enter the path into the receivers.filelog/windows_dns_debug_log.include section of the configuration file. Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DNS\\dns.log.

      receivers:
        filelog/windows_dns_debug_log:
          include: ['<ESCAPED_DNS_LOGFILE_PATH>']
          ...
      
  5. (Optional) Configure collecting DHCP logs from the host.

    1. Check the path of the DHCP log files by running with the following PowerShell command:

      (Get-DhcpServerAuditLog).Path
      

      DHCP server log files usually start with the DhcpSrvLog (for IPv4) or the DhcpV6SrvLog (for IPv6) prefixes.

    2. Enter the path of the IPv4 log files without the filename into the receivers.filelog/windows_dhcp_server_v4_auditlog.include section of the configuration file.

      Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DHCP\\.

      receivers:
        filelog/windows_dhcp_server_v4_auditlog:
          include: ['<ESCAPED_DHCP_SERVER_LOGS_PATH>\\DhcpSrvLog*']
          ...
      
        filelog/windows_dhcp_server_v6_auditlog:
          include: ['<ESCAPED_DHCPV6_SERVER_LOGS_PATH>\\DhcpV6SrvLog*']
          ...
      
    3. Enter the path of the IPv6 log files without the filename into the receivers.filelog/windows_dhcp_server_v6_auditlog.include section of the configuration file.

      Note that you have to escape the backslashes in the path, for example, C:\\Windows\\System32\\DNS\\dns.log.

  6. Save the file.

  7. Restart the service.

    Restart-Service axoflow-otel-collector
    

    The agent starts sending data to the configured AxoRouter.

  8. Add the Windows host where you’ve installed the OpenTelemetry Collector to Axoflow Console as a data source.

    1. Open the Axoflow Console.

    2. Select Topology > + > Source.

      Add appliance as source

    3. Select Microsoft Windows as the type of the source.

      Select data source

    4. Set the IP address and the host name (FQDN) of the host.

    5. Select Create.

  9. Create a flow between the data source and the OpenTelemetry connector of AxoRouter. You can use the Select messages processing step (with the meta.connector.type = otlp and meta.product =* windows query) to route only the Windows data received by the AxoRouter OpenTelemetry connector to your destination.

    Route Windows data that’s received by the AxoRouter OpenTelemetry connector to your destination

  10. (Optional) If you want the Windows host to collect data from other hosts without installing separate agents on them, you can configure remote event log collection.

Collect event logs of remote sources

Once you’ve deployed the Axoflow OpenTelemetry Collector on a Windows host, you can configure it to collect event logs from remote Windows hosts and forward them to AxoRouter, without having to install it on these hosts. Complete the following steps.

  1. Open the configuration file of Axoflow OpenTelemetry Collector (C:\Program Files\Axoflow\OpenTelemetry Collector\config.yaml).

  2. Add a remote section to your windowseventlog receiver, like this:

    receivers:
      windowseventlog:
        channel: application
        remote:
    
  3. Add the credentials that the Axoflow OpenTelemetry Collector can use to access the remote Windows host.

    receivers:
      windowseventlog:
        channel: application
        remote:
          - credentials:
            username: "my-log-collector-user"
            password: "my-password"
            domain: "authentication-domain"
    
  4. Add the address of the remote host under the servers key. If the same credentials can be used to access multiple hosts, you can list them.

    receivers:
      windowseventlog:
        channel: application
        remote:
          - credentials:
              username: "my-log-collector-user"
              password: "my-password"
              domain: "authentication-domain"
            servers:
              - "remote-server-1"
              - "remote-server-2"
    
  5. You can repeat the credentials block to configure other remote hosts with other credentials, for example:

    receivers:
      windowseventlog:
        channel: application
        remote:
          - credentials:
              username: "my-log-collector-user"
              password: "my-password"
              domain: "authentication-domain"
            servers:
              - "remote-server-1"
              - "remote-server-2"
          - credentials:
              username: "my-other-log-collector-user"
              password: "my-other-password"
              domain: "authentication-domain"
            servers:
              - "remote-server-3"
              - "remote-server-4"
    
  6. Save the file.

  7. Restart the service.

    Restart-Service axoflow-otel-collector
    

    The agent starts sending data to the configured AxoRouter.

  8. Add the newly configured hosts to the Axoflow Console. Open the Topology page, select + Source > Detected. The new sources will appear here when AxoRouter starts receiving their logs. Alternatively, you can start log tapping on the AxoRouter that receives the event logs, find the new hosts, and click Register source.

Metadata fields

The AxoRouter connector adds the following fields to the meta variable:

field value
meta.connector.type otlp
meta.connector.name <name of the connector>
meta.product `windows