Configuring LogSources for Windows Event Logging

Last updated on 22 November, 2022

With LogSources you can view and configure log integrations in the LogicMonitor portal. LogSources provides out-of-the-box setup and configuration for some popular logsources. This article describes specific configuration options when setting up LogSources for Windows Event Logging types of resources.

Creating LogSources

LogSources are created from Settings in the LM portal. For general information on how to add a logsource, see Creating LogSources.

Configuration Options

The Windows Event log resource type uses the LM Collector. This runs on a Linux or Windows server within the infrastructure and uses standard monitoring protocols to monitor devices. The following describes configuration options specific when adding a Windows Event type of logsource.

Exclude Filters

You can add filters to specifically exclude resources of certain types.

Available parameters

AttributesComparison OperatorValue
LevelEqual, MoreUrgentThan, In.For example “Error”, “Warning”, “Information”.
LogNameEqual, In.For example “System|Application|Key Management Service|Internet Explorer|Windows PowerShell”
MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.
SourceNameEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.
EventIdEqual, In, NotIn, RegexNotMatch.

Parameter explanation

  • EventId, Level, LogName “In” and “NotIn” can have multiple comma or pipe separated separated values.
  • Level: Severity level “Critical” is not supported. LogSources only supports these event types listed by Microsoft. When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information. Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.
  • Message, SourceName: The Value field is disabled if you select “Exist” or “NotExist”.

Include Filters

You can add filters to specifically include resources of certain types.

Available parameters

AttributesComparison OperatorValue
Level
Equal, MoreUrgentThan, In.
For example “Error”, “Warning”, “Information”.
LogNameEqual, In.For example “System|Application|Key Management Service|Internet Explorer|Windows PowerShell”
MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.
SourceNameEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.
EventIdEqual, In, NotIn, RegexNotMatch.

Parameter explanation

  • Level, LogName: “In” can have multiple comma or pipe separated separated vaues. 
  • Level: Severity level “Critical” is not supported. LogSources only supports these event types listed by Microsoft. When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information. Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.
  • Message, SourceName: The Value field is disabled if you select “Exist” or “NotExist”.

LogFields/Tags

You can configure Log Fields/Tags to include additional metadata to be sent with the logs.

Available parameters  

MethodKeyValue
StaticFor example “Customer”For example “Customer_XYZ”
Dynamic(REGEX)For example “Host”For example “host=*”
LM Property(Token)For example “Device”For example “##system.deviceId##”
Windows Event AttributeEvent ID, LEVEL, LOG NAME, SOURCE NAME.

Parameter explanation 

  • Dynamic(REGEX): The query will run on the message field.
  • LM Property(Token): The DeviceID extracted from the existing device property in LM.

Resource Mapping

Configure the LM log property to match a monitored device.

Available parameters

MethodKeyValue
StaticFor example “Customer_Id”For example “1234”
Dynamic(Regex)For example “system.ServiceName”For example “service=*”
LM Property(Token)For example “##system.deviceId##”

Parameter explanation

  • Key and Value are mandatory items.
  • Static: Text field, any value.
  • Dynamic(Regex): The query will run on the message field.
  • LM Property (Token): The DeviceID extracted from the existing device property in LM.

Example

Configuration example for a Windows Event Logging type of logsource.

General Information

  • Name: Windows_Events
  • Description: Data collection template for Windows Events logs from monitored Windows resources.
  • AppliesTo (custom query): /* isWindows() */ 
  • Type: LM Logs: Windows Event Logging
  • Group: Windows Event Logs

Include Filters

AttributeComparison OperatorValue
LogNameInSystem|Application

Log Fields/Tags

MethodKeyValue
AttributeLevelLevel
AttributeSourceSourceName
AttributeEventIDEventId
AttributeChannelLogName

Resource Mapping

MethodKeyValue
Tokensystem.deviceId##system.deviceId##
In This Article