Complete Windows Monitoring with OpenObserve: Event Logs, Metrics and More

Windows servers and workstations form the backbone of many enterprise environments, but monitoring them effectively can be challenging. From critical system events to performance metrics, Windows generates a wealth of telemetry data that—when properly collected and analyzed—can provide invaluable insights into system health, security posture, and performance bottlenecks.

In this comprehensive guide, we'll explore how to implement complete Windows monitoring using OpenObserve. We'll cover two powerful approaches: the streamlined OpenObserve agent for quick deployment and the customizable OpenTelemetry Collector for advanced configurations. Whether you're troubleshooting system issues, tracking security events, or monitoring performance metrics, this guide will help you gain full visibility into your Windows environment.

Understanding Windows Monitoring Data

Windows systems generate several types of monitoring data that are essential for maintaining system health and security:

Windows Event Logs

Windows Event Logs are organized into channels, with the most common ones being:

• Application: Records events from applications and programs
• Security: Contains security-related events like login attempts and security policy changes
• System: Tracks system events such as driver failures and hardware changes
• Setup: Records events related to application setup
• Forwarded Events: Contains events collected from remote computers

Each event in these logs contains several key components:

• Timestamp: When the event occurred
• Event ID: A unique identifier for the type of event
• Level: The severity of the event (Information, Warning, Error, Critical)
• Source: The application, service, or component that generated the event
• Description: A detailed message about what happened

Windows Event Logs provide invaluable insights that serve multiple purposes across IT operations. They enable early problem detection by revealing issues before they impact users, strengthen security monitoring by tracking unauthorized access attempts, support compliance requirements by maintaining audit trails, facilitate troubleshooting by providing detailed diagnostic information, and enable performance analysis by tracking resource utilization patterns.

Here's a sample Windows Event Log record as captured by OpenTelemetry:

{
  "_timestamp": 1743779634244849,
  "body_channel": "Application",
  "body_computer": "DESKTOP-EB5G184",
  "body_event_data_data": "[{\"\":\"Service stopped\"}]",
  "body_event_id_id": "0",
  "body_event_id_qualifiers": "0",
  "body_execution_process_id": "4656",
  "body_execution_thread_id": "0",
  "body_keywords": "[\"0x80000000000000\"]",
  "body_level": "4",
  "body_message": "",
  "body_opcode": "0",
  "body_provider_event_source": "",
  "body_provider_guid": "",
  "body_provider_name": "brave",
  "body_record_id": "30058",
  "body_system_time": "2025-04-04T15:13:54.2448490Z",
  "body_task": "0",
  "dropped_attributes_count": 0,
  "host_name": "DESKTOP-EB5G184",
  "os_type": "windows",
  "severity": "INFO"
}

Windows Performance Metrics

Beyond event logs, Windows provides detailed performance metrics through Windows Performance Counters. These metrics track:

• CPU Usage: Processor time, queue length, and interrupts
• Memory: Available memory, page faults, and cache usage
• Disk I/O: Read/write operations, queue length, and latency
• Network: Bytes sent/received, connection rates, and errors
• Process-specific metrics: Resource usage by individual processes

Monitoring these metrics helps identify performance bottlenecks, capacity issues, and resource constraints before they impact users.

Setting Up Windows Monitoring with OpenObserve

OpenObserve offers two powerful approaches for Windows monitoring:

1. OpenObserve Agent: A streamlined, all-in-one solution for quick deployment
2. OpenTelemetry Collector: A customizable approach for advanced configurations

Let's explore both options, starting with the recommended and simplest approach.

Option 1: Using the OpenObserve Agent (Recommended)

The OpenObserve agent provides a simple, one-command installation that automatically collects both Windows Event Logs and Performance Metrics.

Prerequisites

Before we begin, ensure you have:

1. A Windows machine (Windows 10/11 or Windows Server)
2. Administrator access to install and configure services
3. Access to an OpenObserve instance (cloud or self-hosted)

Installation

To install the OpenObserve agent:

1. Log in to your OpenObserve instance
2. Navigate to Data Sources → Recommended → Windows

3. Copy the provided PowerShell command
4. Open PowerShell as Administrator and execute the command:

Invoke-WebRequest -Uri https://raw.githubusercontent.com/openobserve/agents/main/windows/install.ps1 -OutFile install.ps1 ; .\install.ps1 -URL https://your-openobserve-instance.com/api/default/ -AUTH_KEY YOUR_API_KEY

That's it! The agent will automatically:

• Install as a Windows service that starts automatically
• Collect logs from Windows Event Log (Application, System, Security)
• Collect metrics from Windows Performance Counters
• Forward all data to your OpenObserve instance

What's Being Collected

The OpenObserve agent collects:

Event Logs:

• Application logs
• System logs
• Security logs

Performance Metrics:

• CPU usage (total and per core)
• Memory usage and availability
• Disk I/O and space utilization
• Network traffic and errors
• Process-level metrics

Option 2: Using the OpenTelemetry Collector

For more advanced configurations or if you're already using OpenTelemetry in your environment, you can use the OpenTelemetry Collector with the Windows Event Log Receiver.

Step 1: Setting Up the OpenTelemetry Collector

First, let's set up the OpenTelemetry Collector:

# Create a directory for the collector
New-Item -Path "C:\otel-collector" -ItemType Directory -Force
cd C:\otel-collector

# Download the latest collector contrib distribution
Invoke-WebRequest -Uri "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.115.0/otelcol-contrib_0.115.0_windows_amd64.tar.gz" -OutFile "otelcol-contrib.tar.gz"

# Extract the archive
tar -xzf otelcol-contrib.tar.gz

Step 2: Configure the OpenTelemetry Collector

Create a file named config.yaml in the C:\otel-collector directory with the following content:

receivers:
  windowseventlog/application:
    channel: application
  windowseventlog/system:
    channel: system
  windowseventlog/security:
    channel: security
  windowsperfcounters:
    collection_interval: 30s
    perfcounters:
      - object: "Processor"
        counters:
          - "% Processor Time"
        instances: ["*"]
      - object: "Memory"
        counters:
          - "Available Bytes"
          - "Committed Bytes"
        instances: [""]
      - object: "LogicalDisk"
        counters:
          - "% Free Space"
          - "Avg. Disk Queue Length"
        instances: ["*"]
      - object: "Network Interface"
        counters:
          - "Bytes Received/sec"
          - "Bytes Sent/sec"
        instances: ["*"]

processors:
  batch:
    send_batch_size: 1024
    timeout: 10s
  resourcedetection:
    detectors: [system]
    system:
      hostname_sources: ["os"]

exporters:
  otlphttp/openobserve:
    endpoint: "https://your-openobserve-instance.com/api/default"
    headers:
      Authorization: "Basic YOUR_API_KEY"
      stream-name: "windows-events"
  debug:
    verbosity: detailed

service:
  pipelines:
    logs:
      receivers: [windowseventlog/application, windowseventlog/system, windowseventlog/security]
      processors: [resourcedetection, batch]
      exporters: [otlphttp/openobserve, debug]
    metrics:
      receivers: [windowsperfcounters]
      processors: [resourcedetection, batch]
      exporters: [otlphttp/openobserve, debug]
  telemetry:
    logs:
      level: "info"

Replace https://your-openobserve-instance.com/api/default with your OpenObserve endpoint and YOUR_API_KEY with your actual API key.

Step 3: Run the OpenTelemetry Collector

Run the collector using the following command:

.\otelcol-contrib.exe --config "C:\otel-collector\config.yaml"

To run the collector as a Windows service, you can use the New-Service PowerShell cmdlet or the SC command-line tool.

Advanced Configuration Options

Here are some practical configurations to enhance your Windows monitoring:

Filtering Security Events

Security logs can be voluminous. Focus on critical events by using XPath queries:

windowseventlog/security:
  channel: security
  xpath_query: "*[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648 or EventID=4672)]]"

This configuration captures only login successes (4624), login failures (4625), logouts (4634), explicit credential uses (4648), and special privilege assignments (4672).

Remote Collection for Multiple Servers

For centralized monitoring of multiple servers:

receivers:
  # Local server logs
  windowseventlog/local_system:
    channel: system
  
  # Remote server logs
  windowseventlog/server1_system:
    channel: system
    remote:
      server: "server1.example.com"
      username: "${env:DOMAIN_USER}"
      password: "${env:DOMAIN_PASSWORD}"
      domain: "EXAMPLE"

Visualizing Windows Monitoring Data in OpenObserve

Once your data is flowing into OpenObserve, you can view and analyze it through the intuitive interface.

Exploring Windows Event Logs

Navigate to the Logs page in OpenObserve to view your Windows Event Logs:

You can filter logs by severity, channel, or any other field to focus on specific events.

Analyzing Performance Metrics

The Metrics page allows you to visualize and analyze Windows system metrics:

You can create custom charts to track CPU usage, memory consumption, disk I/O, and network activity over time.

Pre-built Dashboard

OpenObserve provides a pre-built dashboard for Windows monitoring that you can import directly:

Troubleshooting Tips

If you encounter issues with your Windows monitoring setup:

1. Verify Agent Installation: Check if the OpenObserve agent service is running with Get-Service -Name "OpenObserveAgent".

2. Check Permissions: The service account must have administrative privileges to access Windows Event Logs and Performance Counters.

3. Test Connectivity: Ensure your server can reach your OpenObserve instance with Test-NetConnection -ComputerName your-openobserve-instance.com -Port 443.

4. Review Event Log Access: For security logs, ensure the service account has the "Manage auditing and security log" right.

Conclusion

Effective Windows monitoring is crucial for maintaining reliable, secure, and performant systems. With OpenObserve, you now have two straightforward options for comprehensive Windows monitoring: the simple one-command OpenObserve agent for quick deployment, or the highly customizable OpenTelemetry Collector for advanced scenarios.

By centralizing your Windows monitoring in OpenObserve, you gain the ability to correlate events across systems, track performance trends, and quickly identify the root cause of issues. The combination of event logs and performance metrics provides a complete picture of your Windows environment, enabling you to be proactive rather than reactive in your IT operations.

Whether you're managing a single Windows server or a large fleet of machines, this monitoring approach scales with your needs while providing the deep visibility required for effective troubleshooting, security monitoring, and performance optimization.

For more information, check out the OpenObserve documentation and start transforming your Windows monitoring today.

Happy monitoring! 🚀