Windows Event Log Channels Definition for use with LM Logs
Last updated on 02 April, 2025To ingest Windows Event logs with LM using DataSource, you must define the Windows Event Log channels. Windows Event Log channels are predefined or custom categories used to organize and store different types of Windows Event Logs within the Windows Event Viewer. These channels help categorize logs based on their purpose, origin, or content.
You can configure LogicModules to pull logs from the standard Windows Event Log Channels — Security, System, and Application — or custom channels created by third-party applications. Use of the standard Windows Event Channels is considered best practice, but you can utilize custom channels for specific use cases.
Requirements for Identifying the Windows Event Log Channels
To identify Windows Event Log Channels, you need the following:
- You must have administrative privileges on the Windows machine you are using to identify Event Log Channels. This is necessary to access and log settings in the Event Viewer and execute PowerShell commands.
- You must use a Windows machine that is able to execute PowerShell commands. If you are managing logs on a remote machine, ensure PowerShell is enabled for remote access.
Defining the Windows Event Log Channels
Use the following PowerShell commands to retrieve available Windows Event Log channels. These are used as the channel definitions in your Windows Event DataSource configuration.
- Enter one of the following commands into PowerShell as an administrator:
- To see channels listed in the standard order, run the following command:
Get-WinEvent -ListLog *- To sort more active channels to the top of the list, run the following command:
Get-WinEvent -ListLog * | sort RecordCount -Descending- To see channels present on a remote computer, run the following command:
Get-WinEvent -ListLog * -ComputerName - Review the output.
It includes a list of channels, along with the number of event records currently in those channels.
- In the output, the LogName column contains the channel names to enter as description values in the
lmlogs.winevent.channelsproperty on your Windows Servers or Groups.
Alternatively, you can obtain a list of channel names from the Command Line by running one of the following commands:
- To obtain a list of channel names on your local machine run the following command:
rem List channels on the local system
wevtutil.exe enum-logs- To obtain a list of channel names on a remote machine run the following command:
rem List channels on a remote system
wevtutil.exe enum-logs /remote:- Enter the channel names into the relevant field, depending on the LogicModule you are using (for example, LogSource or DataSource). Ensure that channels names are comma-separated with no spaces.
The following is an example of the configuration that is collecting events from the three standard channels and the top five most active custom channels from the included output:
Application,System,Security,Microsoft-Windows-Store/Operational,Microsoft-Windows-GroupPolicy/Operational,Microsoft-Windows-StateRepository/Operational,Windows Powershell,Microsoft-Windows-AppXDeploymentServer/Operational