Join us on April 3 to Level Up Your IT Universe with LogicMonitor's Latest Innovations!

Secure your spot

    Platform

    Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

  • Infrastructure
    monitoring
  • Cloud monitoring
  • Digital experience
  • AIOPS

      • Solutions

      Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

    By Initiative
    By Industry

      About us

      Get to know LogicMonitor and our team.

    Get to know us
    Services

      Resources

      Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

    Learn

      Documentation

      Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

    Support

    Product Documentation

    Windows Event Logs Ingestion Overview

    Last updated on 01 April, 2025

    Windows Event Logs are critical for gaining visibility into system operations, user activity, and security events across Windows environments. They play a key role in diagnosing system issues, auditing access, and detecting potential threats. LogicMonitor provides flexible methods to collect and analyze these logs through two key mechanisms: LogSource and DataSource.

    • LogSource — Use as the recommended method to ingest Windows Event Logs due to its standardization, minimal resource usage, and ease of UI-based configuration. For more information, see Windows Event Logging LogSource Configuration.

    Note: LogSource requires LM Logs, an add-on service not included with the standard product. 

    • DataSource — Use for more complex environments. DataSource requires a custom setup for environments with custom data collection needs, multiple dependencies, or highly specific monitoring scenarios. 

    Windows Event Log Channels

    Before ingesting Windows Event Logs with LogSource or DataSource, you must define the Windows Event Log channels. Windows Event Log channels are logical containers used to organize and store different types of Windows Event Logs within the Windows Event Viewer. These channels help categorize logs based on their purpose, origin, or content. The Windows Event Log channels must be defined before ingesting Windows Event Logs to ensure that only relevant data is collected, performance optimization, and efficient parsing by LogicMonitor. LogSource and DataSource leverage Windows Management Instrumentation (WMI) to obtain logs from your defined log channels.

    Windows Event Log channels are defined based on whether you are utilizing LogSource or DataSource to ingest logs:

    • LogSource — Use the predefined Windows Event Logs from LogSource to define your Windows Event Log Channels. You can define these channels by targeting the fixed Windows Event channels: Application, Security, and System. This method is straightforward and uses fewer resources than DataSource, but is less customizable.
    • DataSource — You must define the channels by targeting Windows Event Logs indirectly using log data queries. This method is more complex and requires WQL queries or Groovy scripts to define custom log retrieval. DataSource requires more resources, but it is more flexible and highly customizable.

    For more information, see Windows Event Log Channels Definition for use with LM Logs.

    General Requirements for Ingesting Windows Event Logs to LogicMonitor

    To ingest Windows Event Logs, do the following:

    • TCP ports 443 and 80 must be open for secure data transmission to LogicMonitor.
    • Install and configure the Collector on a supported system to gather and transmit log data. For more information, see Adding Collector.
    • Ensure the account running the Collector service has sufficient permissions to access Windows Event Logs. For more information, see Logs Roles and Permissions.
    In This Article