Skip to main content
Skip table of contents

Collect Local Event Logs with the Server Service Disabled

  LogRhythm requires the Windows Server service to be enabled to collect Event logs. However, some deployments have a site-specific requirement to disable the service. To collect local Event logs when the Windows Server service is disabled, the [hostname] or localhost must be specified.

Remote Event log collection is NOT possible unless the Windows Server service is running.

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.

  3. In the lower grid, select the Action check box of the Log Entity you want, right-click it, and click Properties.

  4. Click the Flat File Settings tab.

  5. Fill in the File Path field. The Client Console assigns the machine name portion of the File Path based on the Log Message Source Host.

    • If the Windows host is known, the host name is used. Example: LR-0870EW-MS:System.

    • If the host name is unknown, the IP address is used. Example: 10.1.1.164:System. In this case, you must change the machine name to local or localhost because you cannot use an IP address. Example: Change 10.1.1.164:System to localhost:System. The only IP address exception is 127.0.0.1, which is mapped to localhost by the Agent. These File Path names and examples are acceptable:

      • localhost:[Event Log Name]
      • [Hostname]:[Event Log Name]
      • 127.0.0.1:[Event Log Name]
      • ::1:[Event Log Name]

    • This File Path would not be valid: [IP Address]:[Event Log Name]

  6. Click OK.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close