box.win
The system logs from a Windows machine are assigned the box.win tag.
Windows events must be converted to syslog format before being sent to the Devo Cloud. One tool useful for this is the Snare Agent for Windows from InterSectAlliance, which can read the Windows event logs in their native format and forward them to a remote syslog server - in this case, to a Devo Relay or ProxyServerContainer where the box.win tag can be applied to the events.
- Devo Relay - This is the recommended option for environments with a high volume of Windows events - for example, simultaneously collecting logs from more than ten Windows machines. In this case, you configure the Snare Agent to send the logs to the UDP/TCP port 13002 on the Devo Relay. This port is preconfigured to receive Windows system events, tag them as box.win, then forward them to the Devo Cloud.