Platform

Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

Platform Overview
Infrastructure Monitoring
Cloud Monitoring
Digital Experience
AIOPS

Solutions

Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

Solutions Overview
By Initiative
By Industry

Resources

Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

View Resources
Learn

About us

Get to know LogicMonitor and our team.

About us
Get to know us
Services

Documentation

Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

View Resources
Support
TRY IT FREE
ON DEMAND DEMO

Product Documentation

Troubleshooting Windows Event Logs Ingestion

Last updated on 18 June, 2025

When configuring a LogSource or DataSource to ingest Windows Event Logs, you may encounter issues where logs fail to collect or display properly.

No Logs Display in the LogicMonitor Portal

Not all Windows Events are retrievable with Windows Management Instrumentation (WMI). Since the LogicMonitor Logs module for Windows Events relies on the Win32_NTLogEvent call to pull events, logs that are not retrievable via this class will not display. For more information, see Win32_NTLogEvent class from Microsoft.

For example, “Application and Services Logs” are not available via the Win32_NTLogEvent call. However, you can use Microsoft Subscriptions to copy logs from your Application and Services folder to another log folder, such as Application. Once the logs are copied to a destination that is available to LogicMonitor, you will need to add a filter type of LOGNAME that equals <OriginalLogName>. For more information about filters for Windows Event logging, see Include Filters.

Requirements for Verifying No Windows Event Logs display in the LogicMonitor Portal

  • Windows Event collection and forwarding must be configured using LogSource or DataSource.
  • The service account of the Collector monitoring the resource must have sufficient permissions to read from Win32_NTLogEvent on the monitored server. Alternatively, credentials with sufficient permissions can be passed through wmi.user and wmi.pass properties.
  • If you are ingesting logs from a remote Windows machine, Windows Remote Management (WinRM) must be enabled.
  • If you are receiving events from the security event log, your application must have SeSecurityPrivilege. If not, an error “Access Denied” will be returned to the application.

Verifying No Windows Events Logs Display in the LogicMonitor Portal

Review your LogSource configuration

Filtering—Verify that the filters you applied to the LogSource do not result in exclusion of logs you want to monitor.

Verify the Collector permissions

  • Collector access—Verify that the Collector is running with relevant permissions on the Windows machine. For more information, see Windows Server Monitoring and Principle of Least Privilege.
  • Windows Management Instrumentation (WM) permissions—Verify that the user running the Collector has appropriate WMI permissions, or WMI credentials passed to them, to access the Windows Event logs.  

Test connectivity to WMI

  • WMI accessibility—Verify that WMI is correctly configured and accessible on the Windows machine. You can test by running the following PowerShell query from the Collector host:
    Get-WMIObject -Computername COMPUTERNAME -Credential (Get-Credential) -Query {select * from Win32_NTLogEvent}
    Replace COMPUTERNAME with the name of the host you are monitoring logs from. Provide credentials of the Collector service account or those passed via wmi.user and wmi.pass when prompted.
  • Firewall rules—Check if any firewall rules are blocking WMI communication between the Collector and the Windows machine.

Verifying if Windows Events are Retrievable

  1. You can confirm whether the log file can be accessed through the Win32_NTLogEvent by running the following query via Powershell on the Windows device you want to monitor:
    Get-WmiObject -Query "Select TimeGenerated,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1
  2. If no events are returned, this means that events from this log file are not available. You need to add these events into the WMI class in Windows Registry.

Windows Critical Events Display as Errors in the LogicMonitor Portal

Some Windows Events incorrectly display as errors in the LogicMonitor Portal, with the following error message:

The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. 

This is a known issue that occurs because LogSource only supports the event types listed by Microsoft, which does not include the Critical level. For more information, see Event Types from Microsoft.

Verifying Windows Critical Events Display as Errors

  1. In your LogicMonitor Portal, verify if you have received any errors similar to the following:
    [system] [Error] [41] The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. 
  2. Navigate to your Windows Event Viewer and verify if the Event category (for example, System) and Event ID (for example, 41) match the error in the LogicMonitor Portal. 
    Windows event log ingestion critical events
  3. If the Event category and Event ID match the error in the LogicMonitor Portal, then it is due to LogSource only supporting event types listed by Microsoft.

If you are still experiencing issues with ingesting Windows Event Logs, contact Support. 

In This Article

Start Your Trial

Full access to the LogicMonitor platform.
Comprehensive monitoring and alerting for unlimited devices.