Platform

    Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

    Platform Overview
  • Infrastructure
    monitoring
  • Cloud monitoring
  • Digital experience
  • AIOPS

      • Solutions

      Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

      Solutions Overview
    By Initiative
    By Industry

      About us

      Get to know LogicMonitor and our team.

      About us
    Get to know us
    Connect
    Services

      Documentation

      Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

      View Resources
    Support

    Product Documentation

    Windows Event Logging LogSource Configuration

    Last updated on 08 January, 2024

    Disclaimer: The LogSource LM LogicModule is currently in open Beta.

    LogSource is a LogicModule that provides templates to help you enable LM Logs and configure log data collection and forwarding. LogSource contains details about which logs to get and where to get them, and which fields should be considered for parsing. LogSource is available for common sources of log data.

    Requirements

    The Windows Event Logging LogSource type uses the LM Collector. When using the LM Collector with LogSource, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.

    Configuration Options

    The following describes configuration details specific to the Windows Event Logging type of LogSource. For general information on how to add a LogSource, see Configuring a LogSource.

    Exclude Filters

    You can add filters to exclude resources of certain types.

    Available parameters

    AttributesComparison operatorValue exampleDescription
    LevelEqual, MoreUrgentThan.“Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure”
    LogNameEqual, In.“System|Application|Key Management Service|Internet Explorer|Windows PowerShell”“In” and “NotIn” can have multiple comma or pipe separated values.
    MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
    SourceNameEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
    EventIdEqual, In, NotIn, RegexNotMatch.“In” and “NotIn” can have multiple comma or pipe separated values.

    Note: Severity level “Critical” is not supported. LogSource only supports the event types listed by Microsoft.

    Include Filters

    You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.

    Available parameters

    AttributesComparison operatorValue exampleDescription
    LevelEqual, MoreUrgentThan.“Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure”
    LogNameEqual, In.“System|Application|Key Management Service|Internet Explorer|Windows PowerShell”“In” can have multiple comma or pipe separated vaues.
    MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
    SourceNameEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
    EventIdEqual, In, NotIn, RegexNotMatch.“In” and “NotIn” can have multiple comma or pipe separated values.

    Note: Severity level “Critical” is not supported. LogSource only supports the event types listed by Microsoft.

    Log Fields

    You can configure Log Fields (tags) to send additional metadata with the logs.

    Available parameters

    MethodKey exampleValue exampleDescription
    Static“Customer”“Customer_XYZ”
    Dynamic(REGEX)“Host”“host=*”The query will run on the message field.
    LM Property(Token)“Device”“##system.deviceId##”The DeviceID extracted from the existing device property in LogicMonitor.
    Windows Event AttributeEvent ID, LEVEL, LOG NAME, SOURCE NAME.

    Resource Mappings

    Configure the LM log property to match a monitored resource.

    Available parameters

    MethodKey exampleValue exampleDescription
    Static“Customer_Id”“1234”Text field, any value.
    Dynamic(Regex)“system.ServiceName”“service=*”The query will run on the message field.
    LM Property(Token)“##system.deviceId##”The DeviceID extracted from the existing device property in LogicMonitor.

    Note: “Key” and “Value” are mandatory items.

    Example

    Configuration example for a Windows Event Logging type of LogSource.

    Basic Information

    • Name: Windows_Events
    • Description: Data collection for Windows Events logs from monitored Windows resources.
    • AppliesTo (custom query): /* isWindows() */ 
    • Type: LM Logs: Windows Event Logging
    • Group: Windows Event Logs

    Include Filters

    AttributeComparison operatorValue
    LogNameInSystem|Application

    Log Fields

    MethodKeyValue
    AttributeLevelLevel
    AttributeSourceSourceName
    AttributeEventIDEventId
    AttributeChannelLogName

    Resource Mapping

    MethodKeyValue
    Tokensystem.deviceId##system.deviceId##
    In This Article