Support Center Home

Collecting and Forwarding Windows Events Logs

LogicMonitor can detect and alert on events recorded in most Windows Events Logs. The LogicMonitor Collector has the capability to receive and forward Windows Events Logs to the LM Logs Ingestion API. 

This is an alternative to using the Windows Events Logs DataSource for log ingestion, which is the recommended method for collecting Windows Event Logs.

Prerequisites

  • EA Collector 30.100 or later installed.
  • Properties such as WMI user name and password are fetched from device properties, so the device needs to be monitored by the same Collector which ingests the logs.
  • If you previously configured Windows Event Collection via EventSources retrieved by the API, remove the credentials from the group/resource to avoid conflicts.

Enable Windows Events Logs forwarding

Required configurations

Add or edit the following properties to turn on Windows Events Logs forwarding to LM Logs:

Property Description
lmlogs.windowseventlogs.enabled=true Add this property to the Collector’s agent.conf to enable the log collection for Windows Event Logs. Default is false.
lmlogs.winevents.enable=true Add this custom property on the monitored Windows device, at the Group or Resource level, to enable log collection for Windows Events for this device.

Optional configurations

The following are optional configurations you can add or edit in the Collector’s agent.conf. These configuration lines are only necessary if you want to change the default settings.

Property Description
lmlogs.windowseventlogs.pollinterval=1 Polling interval in minutes. Default is 1 minute.
lmlogs.thread.count.for.ingest.api.communication=10 Thread count for log ingestion. Default is 10.
effectiveInterval=60 Effective interval in seconds. Default is 60 seconds.
suppressDuplicatesES=false Configure suppression for duplicate events. Default is false.

Configure filters to remove logs

We recommend that you configure filters to remove log messages that contain sensitive information (such as credit cards, phone numbers, or personal identifiers) so that they are not sent to LogicMonitor. Filters can also be used to reduce the volume of non-essential log messages that are sent to the logs ingestion API queue.

The filtering criteria for Windows Events Logs collection are based on the following fields: eventID, level, log name, message, and sourcename. When configuring filters:

  • Uncomment the configuration line to enable a filter.
  • The filters are evaluated in order by their serial number.
  • Use commas to separate multiple text values and the pipe character to separate multiple numeric values.
Filter Name Description Examples
EVENTID Define filters based on specific or sets of event IDs. logsource.winevents.filter.21.EVENTID.Equal=4625
logsource.winevents.filter.22.EVENTID.In=4625|4621|4620
logsource.winevents.filter.23.EVENTID.NotIn=4625|4621|4620
logsource.winevents.filter.24.EVENTID.RegexNotMatch=46[0-5]
LEVEL Define filters based on the Event levels. Event Levels sent by default are: Critical, Error, Warning.

Information levels are not collected, unless there is a filter set that explicitly includes them		 Collect only Warning level events:
#logsource.winevents.filter.1.LEVEL.Equal=Warning

Collect only Error and Critical level events:
#logsource.winevents.filter.2.LEVEL.MoreUrgentThan=Warning
LOGNAME Configure filters based on the Windows Events channels. Channels sent by default are: Application, Security, and System. Collect only System channel logs:
#logsource.winevents.filter.11.LOGNAME.Equal=System

Collect only Application and Security channel logs: #logsource.winevents.filter.12.LOGNAME.NotEqual=System
MESSAGE Configure filters based on the contents of the message itself, using keywords or a regular expression pattern to match. # logsource.winevents.filter.3.MESSAGE.Equal=logon
# logsource.winevents.filter.4.MESSAGE.NotEqual=logon
# logsource.winevents.filter.5.MESSAGE.Contain=logon
# logsource.winevents.filter.6.MESSAGE.NotContain=logon
# logsource.winevents.filter.7.MESSAGE.RegexMatch=(logon)+w
# logsource.winevents.filter.8.MESSAGE.Regexnotmatch=(logon)+w
# logsource.winevents.filter.9.MESSAGE.Exist=*
# logsource.winevents.filter.10.MESSAGE.NotExist=*
SOURCENAME Configure filters based on the source name, using keywords or a regular expression pattern to match # logsource.winevents.filter.13.SOURCENAME.Equal=logon
# logsource.winevents.filter.14.SOURCENAME.NotEqual=logon
# logsource.winevents.filter.15.SOURCENAME.Contain=logon
# logsource.winevents.filter.16.SOURCENAME.NotContain=logon
# logsource.winevents.filter.17.SOURCENAME.RegexMatch=(logon)+\w
# logsource.winevents.filter.18.SOURCENAME.RegexNotMatch=(logon)+\w
# logsource.winevents.filter.19.SOURCENAME.Exist=*
# logsource.winevents.filter.20.SOURCENAME.NotExist=*

In This Article