Windows Event Log

Use the Windows Event Log origin only in pipelines configured for edge execution mode. Run the pipeline on StreamSets Data Collector Edge (SDC Edge) installed on the Windows machine.

For example, you might use the Windows Event Log origin in an edge pipeline to read logs from a web or application farm of Windows servers. You install SDC Edge on each Windows machine that you want to read the logs from, and run the edge pipeline on each SDC Edge installation. You design the edge pipeline to pass the log data to a Data Collector receiving pipeline that runs on StreamSets Data Collector. The Data Collector receiving pipeline performs more complex processing on the data, and then writes the data to a big data system such as Hadoop. You can then analyze the data to detect security violations such as insider threats or illegal access to the Windows machines.

When you configure the Windows Event Log origin, you specify the Windows event log to read from. You also specify whether the origin reads all events in the log or whether it reads only new events that occur after the pipeline starts.

You configure the origin to use either the Event Logging API or the Windows Event Log API to read from the log.

When the pipeline stops, the Windows Event Log origin notes where it stops reading. When the pipeline starts again, the origin continues processing from the last-saved offset. You can reset the origin to process all events in the log.

For more information about installing SDC Edge, designing edge pipelines, and running and maintaining edge pipelines, see Meet StreamSets Data Collector EdgeEdge Pipelines Overview.