Join fellow LogicMonitor users at the Elevate Community Conference and get hands-on with our latest product innovations.

Register Now

Platform

Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

Platform Overview
Infrastructure Monitoring
Cloud Monitoring
Digital Experience
AIOPS

Solutions

Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

Solutions Overview
By Initiative
By Industry

Resources

Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

View Resources
Learn

About us

Get to know LogicMonitor and our team.

About us
Get to know us
Services

Documentation

Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

View Resources
Support
TRY IT FREE
ON DEMAND DEMO

Product Documentation

Windows Event Logs Ingestion using the Windows Events DataSource

Last updated on 11 June, 2025

Recommendation: If this is the first time you are configuring Windows Events log ingestion, use the LogSource template. LogSource contains details about which logs to get, where to get them, and which fields should be considered for parsing. For more information, see LogSource Configuration.

The Windows_Events_LMLogs DataSource retrieves the logs using Windows Management Instrumentation (WMI) and pushes them to LM Logs using a BatchScript collection method. The log data is added to the metric payload and polled every 60 seconds, with a batch limit of 5000.  If it exceeds 5000, DataSource sends the logs in batches of 5000 events. Because of this, there is no collector setup needed for Windows Event Log setup.

Recommendation: Because there is no LM Collector setup needed, you should review the health of the LM Collectors monitoring your Windows servers.

Note: Batching the events should not alter the timestamps of the events when they are received. The timestamps viewed in LM Logs are the Windows Event Timestamp.

When you initially set up DataSource, it pre-parses the following metadata fields:

  • EventID
  • EventType
    Note: Severity level “Critical” is not supported. LogSource only supports Error, Warning, Information, Success Audit, and Failure Audit event types. For more information, see Event Types from Microsoft.
  • Channel Name

Recommendation: If you set up multiple DataSource configurations, you will receive duplicate logs. If this occurs, delete the other DataSource.

Required Properties to Activate a DataSource Configuration

PropertyDescription
lmaccess.idLogicMonitor logs ingestion API access ID
lmaccess.keyLogicMonitor logs ingestion API access key
lmlogs.winevent.channelsYou must specify the Windows Events channels within this property. This contains the list of log files that you want to send to LM Logs, comma separated and with no spaces.
For example, you can use the following:
  • application
  • system
  • security
This configuration uses the standard Windows Event channels.

Note: lmaccess.id and lmaccess.key are LogicMonitor API Tokens that must have permissions to send logs to LM Logs.

Requirements for Ingesting Windows Event Logs

To ingest Windows Event Logs, you need the following:

  • A LogicMonitor LMV1 API token, which is a key-based authentication that allows you to authenticate API calls to the LogicMonitor platform. It uses a key pair that consists of the Access ID and Access Key. If you have not created a LogicMonitor API token, see Adding an API Token for details.
  • Windows servers as a managed resource. Your Windows servers must exist in LM as a managed resource and exist in the resource tree. This allows for easy ingestion since LogicMonitor will already have the necessary WMI credentials to pull the Windows Event logs.
  • The Windows_Events_LMLogs DataSource installed. This LogicModule is available in your LogicMonitor portal. Navigate to Modules and search for the Windows_Events_LMLogs DataSource. For more information about installing the module, see Module Installation.
  • Designated log file names for logs sent to LogicMonitor.
  • The following API properties identified:

Note: Some event logs may not be automatically recognized by LogicMonitor. You must create them in a Windows Registry if this happens. For more information, see Eventlog Key from Windows.

Configuring the Windows Events DataSource to Ingest Windows Event Logs

Recommendation: When configuring the DataSource, exclude the security audit success log level. This log level creates a high volume of logs and generally does not add significant value for troubleshooting purposes.

  1. Use the existing Windows_Events_LMLogs DataSource, or create the Windows Event DataSource.
  2. In LogicMonitor, select Resource Tree. Navigate to the Windows resource you want to ingest logs from.
  3. Select Manage Properties manage propeties and add the properties in Required Properties to Activate a DataSource configuration.

After the properties are applied for the DataSource, the Windows Events for each of the specified Channels are pushed to LM Logs. Navigate to Resources to see the Channels listed as discovered instances for Windows_Events_LMLogs.

When viewing the graphs for the instances, the LM Logs API response codes only return data on the instance corresponding to the first channel listed in the device property. This ensures that response codes trigger a single alert, rather than one for each DataSource instance. This is because the DataSource makes one API request for all instances together instead of individually.

The DataSource is configured to trigger a Warning alert if the Response Code is greater than 207.

In This Article

Start Your Trial

Full access to the LogicMonitor platform.
Comprehensive monitoring and alerting for unlimited devices.