IBM Cloud Docs
Logging with Windows VPC server instances

Logging with Windows VPC server instances

Use the IBM® Log Analysis service to monitor and manage logs from a Windows VPC server instance in a centralized logging system on the IBM Cloud.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. IBM Cloud Logs will become generally available during the summer of 2024 in Frankfurt and Madrid with day-one support for EU-managed controls. The service will continue its worldwide multizone region (MZR) roll-out through 3Q2024. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

You can collect and monitor system and application logs.

NXLog is used to provide log files to IBM® Log Analysis.

To configure NXLog, you must enable a port to send logs via syslog to your logging instance. If you are using (a) the classic syslog protocol, (b) a custom port in syslog-ng, or (c) a custom port in rsyslog, there is no authentication available and anyone with knowledge of the endpoint can submit logs to your instance. As a result, depending on your environment, your use of the classic syslog protocol or custom port configurations with syslog-ng or rsyslog may present a significant security risk. Use these configurations at your organization's own risk. Validate with your compliance and security teams whether this security risk is acceptable to your organization.

By default, NXLog monitors log files in the C:\\ProgramData\\logs directory.

On the IBM Cloud, configure an Windows server to forward logs to an IBM Log Analysis instance by completing the following steps:

  1. Provision a VPC running Windows.
  2. Provision an instance of the IBM Log Analysis service.
  3. Configure NXLog on the Windows server.
  4. Optionally, add additional directories to be monitored by the agent.

Component overview on the IBM Cloud
Figure 1. Component overview

In this tutorial, you will learn how to configure a Windows server to forward logs to an IBM Log Analysis instance.

In this tutorial you will configure a Windows VPC server. See Logging with Windows Server systems for a tutorial on configuring an existing Windows Server system.

Before you begin

Read about IBM Log Analysis. For more information, see About.

Work in a supported region.

You can send data from an Windows instance that is located in the same region as your logging instance, in a different region, or not in the IBM Cloud.

Use a user ID that is a member, or an owner of, an IBM Cloud account. To get an IBM Cloud IBMID, go to: Create an account.

Your IBMID must have assigned IAM policies for each of the following resources in the region that your IBM Log Analysis instance is in:

Your IBMID must have assigned IAM policies for each of the following resources:

Table 1. List of IAM policies required to complete the tutorial
Resource Scope of the access policy Role Region Information
Resource group default Resource group Viewer us-south This policy is required to allow the user to see service instances in the Default resource group.
IBM Log Analysis service Resource group Editor us-south This policy is required to allow the user to provision and administer the IBM Log Analysis service in the default resource group.

The IBM Cloud CLI must be installed. For more information, see Installing the IBM Cloud CLI.

Provision an Windows VPC server instance

If you have an existing Windows virtual server instance you want to monitor, you can skip this step.

  1. If you don't have a virtual private cloud, use the IBM Cloud console to create VPC resources.

  2. If you don't have a Windows virtual server instance, create an Windows virtual server instance by using the UI and selecting Windows Server as the Operating system.

Provision an IBM Log Analysis instance

To provision an instance of IBM Log Analysis through the IBM Cloud UI, complete the following steps:

  1. Log in to your IBM Cloud account.

    Click Log in to IBM Cloud to sign in to the IBM Cloud.

    After you log in with your user ID and password, the IBM Cloud console opens.

  2. Click Catalog. The list of the services that are available in IBM Cloud opens.

  3. Select the Logging and Monitoring category.

  4. Click the IBM Log Analysis tile.

  5. Select a region for the service instance.

  6. Select the Lite service plan.

    By default, the Lite plan is set.

    For more information about other service plans, see Pricing plans.

  7. Specify a Service name for your IBM Log Analysis service instance.

  8. Select the Default resource group.

    By default, the Default resource group is set.

  9. To provision the IBM Log Analysis service in the IBM Cloud selected resource group, click Create.

After you provision an instance, the IBM Log Analysis dashboard opens.

To provision an instance of logging through the CLI, see Provisioning logging through the IBM Cloud CLI.

Access your Windows instance

Use a remote desktop client to access your Windows instance. To do so you will need to do the following:

  1. Make sure the security group that is associated with the instance allows inbound and outbound Remote Desktop Protocol traffic (TCP port 3389). This is required for the remote desktop client to connect to your Windows instance.

    1. Log in to your IBM Cloud account.

      Click Log in to IBM Cloud to sign in to the IBM Cloud.

      After you log in with your user ID and password, the IBM Cloud console opens.

    2. Click the Menu icon Menu icon > VPC Infrastructure.

    3. Click Security groups.

    4. Click the security group you used to create your Windows VPC. The Security group details opens.

    5. Click Rules.

    6. Create an Inbound rule with the following values:

      • Protocol = TCP
      • Port = Any
      • Port min = 3389
      • Port max = 3389
      • Source type = Any

    7. Create an Outbound rule with the following values:

      • Protocol = TCP
      • Port = Any
      • Port min = 3389
      • Port max = 3389
      • Source type = Any

  2. Obtain the connection information you need to connect to the Windows VPC.

    1. Click Virtual server instances.

    2. Click the name of your Windows VPC instance. The instance details are displayed.

    3. Under Encrypted password click Download RDP file. A file that can be used with Windows Remote Desktop will be downloaded.

      If you are using another client to connect to your Windows VPC, you can still use the information contained in the RDP file to get the connection information for the VPC.

  3. Connect to your Windows VPC using a remote desktop client and the RDP file information. Sign in with the User name of .\Administrator and the decripted ssh key as the password.

Install NXLog

Follow these steps to install NXLog.

You will need to run as a Windows Administrator for all command prompt or PowerShell steps.

  1. The Chocolately package manager is used to install NXLog. Run one of the following if you do not have the package manager already installed.

    From a Windows command prompt (cmd.exe):

    powershell -command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"

    From a PowerShell prompt:

    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

  2. Run the following command in PowerShell to install NXLog Community Edition.

    choco install -y nxlog

Configure NXLog

  1. Provision a syslog port for NXLog.

    To get the required port value, do the following:

    1. Access the IBM Log Analysis UI.
    2. Click the question mark icon to access the installation instructions.
    3. Click NXLog.
    4. The syslog port you need to provision in Windows will be displayed. For example, syslog-a.us-south.logging.cloud.ibm.com:63980.

    Then, in Windows, do the following:

    1. From the Control Panel access System and Security > Windows Defender Firewall.
    2. Click Advanced settings.
    3. Click Inbound Rules.
    4. Click New Rule.
    5. Select Port.
    6. Click Next.
    7. For Specific local ports: enter 63980.
    8. Click Next.
    9. Select Allow the connection.
    10. Click Next.
    11. Select where the rule should apply.
    12. Click Next.
    13. Name the rule. For example, syslog-a.us-south.logging.cloud.ibm.com:63980.
    14. Click Finish.

  2. Create your nxlog.conf file.

    1. Get the provided nxlog.conf file:

      1. Access the IBM Log Analysis UI.
      2. Click the question mark icon to access the installation instructions.
      3. Click NXLog.
      4. Click Download the file to download a copy of the provided nxlog.conf file.

    2. Customize the nxlog.conf to meet your needs.

      • The <Input eventlog> section specifies the logging channels to be captured. To enable a logging channel, uncomment the desired lines. To disable a logging channel, comment out those lines.

      • LOGFOLDER specifies the folder to stream logs from. Check that the File '%LOGFOLDER%\\*.log' value is correct for your system as well.

      • Input, processor, and output channels are connected in the <Route> block. Comment out this block to remove the route and disable logging from this channel. Add new input modules with unique names to enable logging from new sources.

    3. Copy the nxlog.conf file as <NXLOGDIR>\conf\nxlog.conf where <NXLOGDIR> is the directory where you installed NXLog. For example, C:\Program Files (x86)\nxlog\

  3. Download the LogDNA SSL Certificate Authority file. This can be done in one of the following ways.

    • Run the following PowerShell script where <NXLOGDIR> is the directory where you installed NXLog.

      $url = "https://assets.us-south.logging.cloud.ibm.com/rootca/ld-root-ca.crt"
$output = "<NXLOGDIR>\cert\ca.pem"
(New-Object System.Net.WebClient).DownloadFile($url, $output)

    • Use the link in the installation information to download and install the Root CA Certificate.

      1. Access the IBM Log Analysis UI.
      2. Click the question mark icon to access the installation instructions.
      3. Click NXLog.
      4. Click Download Root CA Certificate to download a copy of the certificate.
      5. Copy the certificate to <NXLOGDIR>\cert\ca.pem, where <NXLOGDIR> is directory nxlog is installed.

Run NXLog

Run the following in PowerShell from the directory where you installed NXLog.

.\nxlog.exe

Run the following in PowerShell from the directory where you installed NXLog to stop the service.

.\nxlog.exe --stop

Launch the logging Web UI

To launch the IBM Log Analysis dashboard from the IBM Cloud UI, complete the following steps:

  1. Log in to your IBM Cloud account.

    Click IBM Cloud dashboard to launch the IBM Cloud dashboard.

    After you log in with your user ID and password, the IBM Cloud Dashboard opens.

  2. In the navigation menu, select Observability.

  3. Click Logging.

    The list of IBM Log Analysis instances that are available on IBM Cloud is displayed.

  4. Select one instance. Then, click Open dashboard.

    The logging Web UI opens and displays your cluster logs.

View your logs

From the logging Web UI, you can view your logs as they pass through the system. You view logs by using log tailing.

With the Free service plan, you can only tail your latest logs.

Due to Windows limitations, when the Windows VPC instance is created, the hostname is truncated to the first 15 characters of the instance name. The Windows hostname is included as the Hostname in the IBM Log Analysis log lines.

For example, if you created a Windows VPC named my-cloud-windows-vpc-instance then the hostname created in Windows Server, and displayed in the logs, will be my-cloud-window.

You can filter the log lines displayed in IBM Log Analysis by entering queries in the Search... box.

Table 2. Example queries
Search for Returns
host:<WINDOWS_HOSTNAME> (EventType:INFO OR Severity:INFO) All log lines with event type or severity of INFO
host:<WINDOWS_HOSTNAME> (EventType:warn OR Severity:WARNING) All log lines with an event type of warn or severity of WARNING
host:<WINDOWS_HOSTNAME> Severity:ERROR All log lines with a severity of ERROR

Where <WINDOWS_HOSTNAME> is the hostname of your Windows VPC server instance.

For more information, see Viewing logs.

Next steps

The following additional features are available:

To use any of these features, you must upgrade the IBM Log Analysis plan to a paid plan.