The system logs from a Windows machine are assigned the box.win tag.
Windows events must be converted to syslog format before being sent to the Devo Cloud. One tool useful for this is the Snare Agent for Windows from InterSectAlliance, which can read the Windows event logs in their native format and forward them to a remote syslog server - in this case, to a Devo Relay or ProxyServerContainer where the box.win tag can be applied to the events.
- Devo Relay - This is the recommended option for environments with a high volume of Windows events - for example, simultaneously collecting logs from more than ten Windows machines. In this case, you configure the Snare Agent to send the logs to the UDP/TCP port 13002 on the Devo Relay. This port is preconfigured to receive Windows system events, tag them as box.win, then forward them to the Devo Cloud.
- ProxyServerContainer Agent - This is the component of the 2021-06-15_09-43-16_Devo Agent for Windows responsible for forwarding collected data to either the Devo Relay or to the Devo Cloud.
If you are using the Snare Agent to collect events, they should be sent to the localhost UDP port 11011. The ProxyServerContainer will apply the box.win tag to the events received on that port and forward them as directed (to the relay or the cloud).
If you are using the Devo Agent for Windows to collect the events, the box.win tag is applied by the MagicLog component. In this case, the events are directed to the ProxyServerContainer on TCP port 10010 for forwarding to the Devo endpoint.