Join fellow LogicMonitor users at the Elevate Community Conference and get hands-on with our latest product innovations.

Register Now

Platform

Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

Platform Overview
Infrastructure Monitoring
Cloud Monitoring
Digital Experience
AIOPS

Solutions

Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

Solutions Overview
By Initiative
By Industry

Resources

Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

View Resources
Learn

About us

Get to know LogicMonitor and our team.

About us
Get to know us
Services

Documentation

Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

View Resources
Support
TRY IT FREE
ON DEMAND DEMO

Product Documentation

Windows Event Logs Ingestion Overview

Last updated on 01 April, 2025

Windows Event Logs are critical for gaining visibility into system operations, user activity, and security events across Windows environments. They play a key role in diagnosing system issues, auditing access, and detecting potential threats. LogicMonitor provides flexible methods to collect and analyze these logs through two key mechanisms: LogSource and DataSource.

  • LogSource — Use as the recommended method to ingest Windows Event Logs due to its standardization, minimal resource usage, and ease of UI-based configuration. For more information, see Windows Event Logging LogSource Configuration.

Note: LogSource requires LM Logs, an add-on service not included with the standard product. 

  • DataSource — Use for more complex environments. DataSource requires a custom setup for environments with custom data collection needs, multiple dependencies, or highly specific monitoring scenarios. 

Windows Event Log Channels

Before ingesting Windows Event Logs with LogSource or DataSource, you must define the Windows Event Log channels. Windows Event Log channels are logical containers used to organize and store different types of Windows Event Logs within the Windows Event Viewer. These channels help categorize logs based on their purpose, origin, or content. The Windows Event Log channels must be defined before ingesting Windows Event Logs to ensure that only relevant data is collected, performance optimization, and efficient parsing by LogicMonitor. LogSource and DataSource leverage Windows Management Instrumentation (WMI) to obtain logs from your defined log channels.

Windows Event Log channels are defined based on whether you are utilizing LogSource or DataSource to ingest logs:

  • LogSource — Use the predefined Windows Event Logs from LogSource to define your Windows Event Log Channels. You can define these channels by targeting the fixed Windows Event channels: Application, Security, and System. This method is straightforward and uses fewer resources than DataSource, but is less customizable.
  • DataSource — You must define the channels by targeting Windows Event Logs indirectly using log data queries. This method is more complex and requires WQL queries or Groovy scripts to define custom log retrieval. DataSource requires more resources, but it is more flexible and highly customizable.

For more information, see Windows Event Log Channels Definition for use with LM Logs.

General Requirements for Ingesting Windows Event Logs to LogicMonitor

To ingest Windows Event Logs, do the following:

  • TCP ports 443 and 80 must be open for secure data transmission to LogicMonitor.
  • Install and configure the Collector on a supported system to gather and transmit log data. For more information, see Adding Collector.
  • Ensure the account running the Collector service has sufficient permissions to access Windows Event Logs. For more information, see Logs Roles and Permissions.
In This Article

Start Your Trial

Full access to the LogicMonitor platform.
Comprehensive monitoring and alerting for unlimited devices.