Windows Event Logs Ingestion Overview
Last updated on 01 April, 2025Windows Event Logs are critical for gaining visibility into system operations, user activity, and security events across Windows environments. They play a key role in diagnosing system issues, auditing access, and detecting potential threats. LogicMonitor provides flexible methods to collect and analyze these logs through two key mechanisms: LogSource and DataSource.
- LogSource — Use as the recommended method to ingest Windows Event Logs due to its standardization, minimal resource usage, and ease of UI-based configuration. For more information, see Windows Event Logging LogSource Configuration.
Note: LogSource requires LM Logs, an add-on service not included with the standard product.
- DataSource — Use for more complex environments. DataSource requires a custom setup for environments with custom data collection needs, multiple dependencies, or highly specific monitoring scenarios.
Windows Event Log Channels
Before ingesting Windows Event Logs with LogSource or DataSource, you must define the Windows Event Log channels. Windows Event Log channels are logical containers used to organize and store different types of Windows Event Logs within the Windows Event Viewer. These channels help categorize logs based on their purpose, origin, or content. The Windows Event Log channels must be defined before ingesting Windows Event Logs to ensure that only relevant data is collected, performance optimization, and efficient parsing by LogicMonitor. LogSource and DataSource leverage Windows Management Instrumentation (WMI) to obtain logs from your defined log channels.
Windows Event Log channels are defined based on whether you are utilizing LogSource or DataSource to ingest logs:
- LogSource — Use the predefined Windows Event Logs from LogSource to define your Windows Event Log Channels. You can define these channels by targeting the fixed Windows Event channels: Application, Security, and System. This method is straightforward and uses fewer resources than DataSource, but is less customizable.
- DataSource — You must define the channels by targeting Windows Event Logs indirectly using log data queries. This method is more complex and requires WQL queries or Groovy scripts to define custom log retrieval. DataSource requires more resources, but it is more flexible and highly customizable.
For more information, see Windows Event Log Channels Definition for use with LM Logs.
General Requirements for Ingesting Windows Event Logs to LogicMonitor
To ingest Windows Event Logs, do the following:
- TCP ports 443 and 80 must be open for secure data transmission to LogicMonitor.
- Install and configure the Collector on a supported system to gather and transmit log data. For more information, see Adding Collector.
- Ensure the account running the Collector service has sufficient permissions to access Windows Event Logs. For more information, see Logs Roles and Permissions.