Collecting and Forwarding Windows Events Logs
Last Updated: 13 January, 2022LogicMonitor can detect and alert on events recorded in most Windows Events Logs. The LogicMonitor Collector has the capability to receive and forward Windows Events Logs to the LM Logs Ingestion API.
This is an alternative to using the Windows Events Logs DataSource for log ingestion, which is the recommended method for collecting Windows Event Logs.
Prerequisites
- EA Collector 30.100 or later installed.
- Properties such as WMI user name and password are fetched from device properties, so the device needs to be monitored by the same Collector which ingests the logs.
- If you previously configured Windows Event Collection via EventSources retrieved by the API, remove the credentials from the group/resource to avoid conflicts.
Enable Windows Events Logs forwarding
Required configurations
Add or edit the following properties to turn on Windows Events Logs forwarding to LM Logs:
| Property | Description |
| lmlogs.windowseventlogs.enabled=true | Add this property to the Collector’s agent.conf to enable the log collection for Windows Event Logs. Default is false. |
| lmlogs.winevents.enable=true | Add this custom property on the monitored Windows device, at the Group or Resource level, to enable log collection for Windows Events for this device. |
Optional configurations
The following are optional configurations you can add or edit in the Collector’s agent.conf. These configuration lines are only necessary if you want to change the default settings.
| Property | Description |
| lmlogs.windowseventlogs.pollinterval=1 | Polling interval in minutes. Default is 1 minute. |
| lmlogs.thread.count.for.ingest.api.communication=10 | Thread count for log ingestion. Default is 10. |
| effectiveInterval=60 | Effective interval in seconds. Default is 60 seconds. |
| suppressDuplicatesES=false | Configure suppression for duplicate events. Default is false. |
Configure filters to remove logs
We recommend that you configure filters to remove log messages that contain sensitive information (such as credit cards, phone numbers, or personal identifiers) so that they are not sent to LogicMonitor. Filters can also be used to reduce the volume of non-essential log messages that are sent to the logs ingestion API queue.
The filtering criteria for Windows Events Logs collection are based on the following fields: eventID, level, log name, message, and sourcename. When configuring filters:
- Uncomment the configuration line to enable a filter.
- The filters are evaluated in order by their serial number.
- Use commas to separate multiple text values and the pipe character to separate multiple numeric values.
| Filter Name | Description | Examples |
EVENTID |
Define filters based on specific or sets of event IDs. | logsource.winevents.filter.21.EVENTID.Equal=4625 logsource.winevents.filter.22.EVENTID.In=4625|4621|4620 logsource.winevents.filter.23.EVENTID.NotIn=4625|4621|4620 logsource.winevents.filter.24.EVENTID.RegexNotMatch=46[0-5] |
LEVEL |
Define filters based on the Event levels. Event Levels sent by default are: Critical, Error, Warning. Information levels are not collected, unless there is a filter set that explicitly includes them |
Collect only Warning level events: #logsource.winevents.filter.1.LEVEL.Equal=Warning Collect only Error and Critical level events: #logsource.winevents.filter.2.LEVEL.MoreUrgentThan=Warning |
LOGNAME |
Configure filters based on the Windows Events channels. Channels sent by default are: Application, Security, and System. | Collect only System channel logs: #logsource.winevents.filter.11.LOGNAME.Equal=System Collect only Application and Security channel logs: #logsource.winevents.filter.12.LOGNAME.NotEqual=System |
MESSAGE |
Configure filters based on the contents of the message itself, using keywords or a regular expression pattern to match. | # logsource.winevents.filter.3.MESSAGE.Equal=logon # logsource.winevents.filter.4.MESSAGE.NotEqual=logon # logsource.winevents.filter.5.MESSAGE.Contain=logon # logsource.winevents.filter.6.MESSAGE.NotContain=logon # logsource.winevents.filter.7.MESSAGE.RegexMatch=(logon)+w # logsource.winevents.filter.8.MESSAGE.Regexnotmatch=(logon)+w # logsource.winevents.filter.9.MESSAGE.Exist=* # logsource.winevents.filter.10.MESSAGE.NotExist=* |
SOURCENAME |
Configure filters based on the source name, using keywords or a regular expression pattern to match | # logsource.winevents.filter.13.SOURCENAME.Equal=logon # logsource.winevents.filter.14.SOURCENAME.NotEqual=logon # logsource.winevents.filter.15.SOURCENAME.Contain=logon # logsource.winevents.filter.16.SOURCENAME.NotContain=logon # logsource.winevents.filter.17.SOURCENAME.RegexMatch=(logon)+\w # logsource.winevents.filter.18.SOURCENAME.RegexNotMatch=(logon)+\w # logsource.winevents.filter.19.SOURCENAME.Exist=* # logsource.winevents.filter.20.SOURCENAME.NotExist=* |