Windows - using Vector

This guide walks you through configuring Vector to collect logs from Windows and send them to your HTTP endpoint.

Prerequisites

Windows Server 2016 or later, or Windows 10/11
Administrator access to install and configure Vector
Access to your HTTP endpoint credentials
Vector 0.34.0 or later

Connection Parameters

The following parameters are required for establishing connectivity between Vector and your CtrlB instance:

Endpoint URL: https://<INSTANCE_HOST>/api/default/<STREAM_NAME>/_json_evolving
Authentication Method: HTTP Basic Authentication via Authorization header
Authentication Format: Authorization: Basic <API_TOKEN>

Installation

Download Vector for Windows
- Visit the Vector releases page
- Download the .msi installer for Windows
- Run the installer and follow the setup wizard
Verify Installation
```
vector --version
```

Configuration

1. Locate Configuration File

Vector configuration on Windows is typically stored at:

%PROGRAMDATA%\Vector\vector.yaml

Or if installed from source:

C:\Program Files\Vector\vector.yaml

2. Configure Sources

Vector can extract logs from multiple sources on Windows. Configure the sources that match your logging infrastructure:

Windows Event Logs

Extract logs from the Windows Event Log system:

sources:
  windows_events:
    type: file
    include:
      - C:\Windows\System32\winevt\Logs\*.evtx
    read_from: beginning

Application Logs from Custom Directories

Collect logs written by your applications to specific directories:

sources:
  app_logs:
    type: file
    include:
      - C:\Logs\*.log
    read_from: beginning

IIS Web Server Logs

Extract access and error logs from Internet Information Services:

sources:
  iis_logs:
    type: file
    include:
      - C:\inetpub\logs\LogFiles\*\*.log
    read_from: beginning

3. Add Timestamp Processing

Create a transform to add Unix timestamps in milliseconds:

transforms:
  add_timestamp:
    type: remap
    inputs:
      - windows_events
    source: |
      ._timestamp = to_unix_timestamp(now(), unit: "milliseconds")

4. Configure the HTTP Sink

Add the HTTP sink to send logs to your endpoint:

sinks:
  ctrlb_logs:
    type: http
    inputs:
      - add_timestamp
    encoding:
      codec: json
    uri: https://<INSTANCE_HOST>/api/default/<STREAM_NAME>/_json_evolving
    method: post
    request:
      headers:
        authorization: "Basic <API_TOKEN>"
        content-type: application/json

Complete Example Configuration

sources:
  windows_events:
    type: file
    include:
      - C:\Logs\*.log
    read_from: beginning

transforms:
  add_timestamp:
    type: remap
    inputs:
      - windows_events
    source: |
      ._timestamp = to_unix_timestamp(now(), unit: "milliseconds")

sinks:
  ctrlb_logs:
    type: http
    inputs:
      - add_timestamp
    encoding:
      codec: json
    uri: https://<INSTANCE_HOST>/api/default/<STREAM_NAME>/_json_evolving
    method: post
    request:
      headers:
        authorization: "Basic <API_TOKEN>"
        content-type: application/json

Running Vector

Start Vector Service

Once configured, start the Vector service:

# Start the Vector service
Start-Service -Name "Vector"

# Check service status
Get-Service -Name "Vector"

# View service logs
Get-EventLog -LogName "Application" -Source "Vector" -Newest 20

Run Vector in Foreground (Testing)

To test your configuration before running as a service:

vector --config "C:\Program Files\Vector\vector.yaml"

Verification

Check Logs Are Being Collected

Monitor Vector's output:

# View Vector application logs
Get-EventLog -LogName "Application" -Source "Vector" -Newest 50

Test HTTP Connectivity

Verify connectivity to your HTTP endpoint:

$headers = @{
    "Authorization" = "Basic <API_TOKEN>"
    "Content-Type" = "application/json"
}

$body = @{
    "message" = "test"
    "timestamp" = (Get-Date).ToUniversalTime()
} | ConvertTo-Json

Invoke-WebRequest -Uri "https://<INSTANCE_HOST>/api/default/<STREAM_NAME>/_json_evolving" `
    -Method "POST" `
    -Headers $headers `
    -Body $body

Troubleshooting

Issue: Vector service fails to start

Check %PROGRAMDATA%\Vector\vector.yaml for syntax errors
Verify file paths exist and are accessible
Run vector validate to check configuration

Issue: Logs not appearing

Verify source file paths are correct
Check file permissions and that Vector has read access
Ensure HTTP endpoint is reachable: Test-NetConnection <INSTANCE_HOST> -Port 443
Review Vector logs for connection errors

Issue: HTTP 401 Unauthorized

Verify your Base64-encoded API token is correct
Confirm credentials have appropriate permissions
Check for extra whitespace in the token

Issue: File permissions denied

Run Vector as Administrator or a service account with appropriate permissions
Ensure log file directories are accessible to the Vector service account

Prerequisites​

Connection Parameters​

Installation​

Configuration​

1. Locate Configuration File​

2. Configure Sources​

3. Add Timestamp Processing​

4. Configure the HTTP Sink​

Complete Example Configuration​

Running Vector​

Start Vector Service​

Run Vector in Foreground (Testing)​

Verification​

Check Logs Are Being Collected​

Test HTTP Connectivity​

Troubleshooting​

Additional Resources​