1. step Download whoruevent
visit to https://asecurity.dev/windows-server-log-collector-who-is-use-my-system/whoruevent/ and download whoruevent.zip
2. step copy and paste in windows server
Decompress that zip file, Then copy and paste to windows server.
3. step configuration whoruevent
Configuration syslog_ip and collect log type in eventlog section.
4. step install whoruevent for service type
Install service type, If you install it as a service type, it runs even if you do not log in. It is suitable for server method.
5. step check collect log
last is check to collect to log on graylog