Configuring LogSources for Windows Event Logging
Last updated on 28 March, 2023LogSources is a LogicModule that provide templates to help you enable LM Logs and configure log data collection and forwarding. LogSources contain details about which logs to get and where to get them, and which fields should be considered for parsing. LogSources is available for common sources of log data. The following describes how to set up LogSources for Windows Event Logging.
Requirements
The Windows Event Logging logsource type uses the LM Collector. When using the LM Collector with LogSources, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.
Configuration Options
The following describes configuration options specific to the Windows Events Logging type of logsource. For information on how to add a logsource, see Creating LogSources.
Exclude Filters
You can add filters to exclude resources of certain types.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Level | Equal, MoreUrgentThan, In. | “Error”, “Warning”, “Information”. | “In” and “NotIn” can have multiple comma or pipe separated separated values. |
| LogName | Equal, In. | “System|Application|Key Management Service|Internet Explorer|Windows PowerShell” | “In” and “NotIn” can have multiple comma or pipe separated separated values. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| SourceName | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| EventId | Equal, In, NotIn, RegexNotMatch. | “In” and “NotIn” can have multiple comma or pipe separated separated values. |
Note: Severity level “Critical” is not supported. LogSources only supports these event types listed by Microsoft. When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information. Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.
Include Filters
You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Level | Equal, MoreUrgentThan, In. | “Error”, “Warning”, “Information”. | “In” can have multiple comma or pipe separated separated vaues. |
| LogName | Equal, In. | “System|Application|Key Management Service|Internet Explorer|Windows PowerShell” | “In” can have multiple comma or pipe separated separated vaues. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| SourceName | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| EventId | Equal, In, NotIn, RegexNotMatch. |
Note: Severity level “Critical” is not supported. LogSources only supports these event types listed by Microsoft. When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information. Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.
LogFields/Tags
You can configure Log Fields/Tags to send additional metadata with the logs.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer” | “Customer_XYZ” | |
| Dynamic(REGEX) | “Host” | “host=*” | The query will run on the message field. |
| LM Property(Token) | “Device” | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
| Windows Event Attribute | Event ID, LEVEL, LOG NAME, SOURCE NAME. |
Resource Mapping
Configure the LM log property to match a monitored resource.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer_Id” | “1234” | Text field, any value. |
| Dynamic(Regex) | “system.ServiceName” | “service=*” | The query will run on the message field. |
| LM Property(Token) | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
Note: “Key” and “Value” are mandatory items.
Example
Configuration example for a Windows Event Logging type of logsource.
General Information
- Name: Windows_Events
- Description: Data collection template for Windows Events logs from monitored Windows resources.
- AppliesTo (custom query): /* isWindows() */
- Type: LM Logs: Windows Event Logging
- Group: Windows Event Logs
Include Filters
| Attribute | Comparison Operator | Value |
| LogName | In | System|Application |
Log Fields/Tags
| Method | Key | Value |
| Attribute | Level | Level |
| Attribute | Source | SourceName |
| Attribute | EventID | EventId |
| Attribute | Channel | LogName |
Resource Mapping
| Method | Key | Value |
| Token | system.deviceId | ##system.deviceId## |