Collecting and Forwarding Windows Events Logs

LogicMonitor can detect and alert on events recorded in most Windows Events Logs. The LogicMonitor Collector has the capability to receive and forward Windows Events Logs to the LM Logs Ingestion API. This is an alternative to using the Windows Events Logs DataSource for log ingestion.

Prerequisites

• EA Collector 30.100 or later installed.
• Properties such as WMI user name and password are fetched from device properties, so the device needs to be monitored by the same Collector which ingests the logs.
• If you previously configured Windows Event Collection via EventSources retrieved by the API, remove the credentials from the group/resource to avoid conflicts.

Enable Windows Events Logs forwarding

Required configurations

Add or edit the following properties to turn on Windows Events Logs forwarding to LM Logs:

Property	Description
lmlogs.windowseventlogs.enabled=true	Add this property to the Collector’s agent.conf to enable the log collection for Windows Event Logs. Default is false.
lmlogs.winevents.enable=true	Add this custom property on the monitored Windows device, at the Group or Resource level, to enable log collection for Windows Events for this device.

Optional configurations

The following are optional configurations you can add or edit in the Collector’s agent.conf. These configuration lines are only necessary if you want to change the default settings.

Property	Description
lmlogs.windowseventlogs.pollinterval=1	Polling interval in minutes. Default is 1 minute.
lmlogs.thread.count.for.ingest.api.communication=10	Thread count for log ingestion. Default is 10.
effectiveInterval=60	Effective interval in seconds. Default is 60 seconds.
suppressDuplicatesES=false	Configure suppression for duplicate events. Default is false.

Configure filters to remove logs

We recommend that you configure filters to remove log messages that contain sensitive information (such as credit cards, phone numbers, or personal identifiers) so that they are not sent to LogicMonitor. Filters can also be used to reduce the volume of non-essential log messages that are sent to the logs ingestion API queue.

The filtering criteria for Windows Events Logs collection are based on the following fields: eventID, level, log name, message, and sourcename. When configuring filters:

• Uncomment the configuration line to enable a filter.
• The filters are evaluated in order by their serial number.
• Use commas to separate multiple text values and the pipe character to separate multiple numeric values.

Filter Name	Description	Examples
EVENTID	Define filters based on specific or sets of event IDs.	logsource.winevents.filter.21.EVENTID.Equal=4625 logsource.winevents.filter.22.EVENTID.In=4625|4621|4620 logsource.winevents.filter.23.EVENTID.NotIn=4625|4621|4620 logsource.winevents.filter.24.EVENTID.RegexNotMatch=46[0-5]
LEVEL	Define filters based on the Event levels. Event Levels sent by default are: Critical, Error, Warning. Information levels are not collected, and they will not be collected even if a filter is set.	Collect only Warning level events: #logsource.winevents.filter.1.LEVEL.Equal=Warning Collect only Error and Critical level events: #logsource.winevents.filter.2.LEVEL.MoreUrgentThan=Warning
LOGNAME	Configure filters based on the Windows Events channels. Channels sent by default are: Application, Security, and System.	Collect only System channel logs: #logsource.winevents.filter.11.LOGNAME.Equal=System Collect only Application and Security channel logs: #logsource.winevents.filter.12.LOGNAME.NotEqual=System
MESSAGE	Configure filters based on the contents of the message itself, using keywords or a regular expression pattern to match.	# logsource.winevents.filter.3.MESSAGE.Equal=logon # logsource.winevents.filter.4.MESSAGE.NotEqual=logon # logsource.winevents.filter.5.MESSAGE.Contain=logon # logsource.winevents.filter.6.MESSAGE.NotContain=logon # logsource.winevents.filter.7.MESSAGE.RegexMatch=(logon)+w # logsource.winevents.filter.8.MESSAGE.Regexnotmatch=(logon)+w # logsource.winevents.filter.9.MESSAGE.Exist=* # logsource.winevents.filter.10.MESSAGE.NotExist=*
SOURCENAME	Configure filters based on the source name, using keywords or a regular expression pattern to match	# logsource.winevents.filter.13.SOURCENAME.Equal=logon # logsource.winevents.filter.14.SOURCENAME.NotEqual=logon # logsource.winevents.filter.15.SOURCENAME.Contain=logon # logsource.winevents.filter.16.SOURCENAME.NotContain=logon # logsource.winevents.filter.17.SOURCENAME.RegexMatch=(logon)+\w # logsource.winevents.filter.18.SOURCENAME.RegexNotMatch=(logon)+\w # logsource.winevents.filter.19.SOURCENAME.Exist=* # logsource.winevents.filter.20.SOURCENAME.NotExist=*