Windows Event Logging LogSource Configuration
Last updated on 18 September, 2024LogSource is a LogicModule that provides templates to help you enable LM Logs and configure log data collection and forwarding. LogSource contains details about which logs to get and where to get them, and which fields should be considered for parsing. LogSource is available for common sources of log data.
Requirements
The Windows Event Logging LogSource type uses the LM Collector. When using the LM Collector with LogSource, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.
Configuration Options
The following describes configuration details specific to the Windows Event Logging type of LogSource. For general information on how to add a LogSource, see Configuring a LogSource.
Exclude Filters
You can add filters to exclude resources of certain types.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Level | Equal, MoreUrgentThan. | “Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure” | |
| LogName | Equal, In. | “System|Application|Key Management Service|Internet Explorer|Windows PowerShell” | “In” and “NotIn” can have multiple comma or pipe separated values. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| SourceName | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| EventId | Equal, In, NotIn, RegexNotMatch. | “In” and “NotIn” can have multiple comma or pipe separated values. |
Note: Severity level “Critical” is not supported. LogSource only supports the event types listed by Microsoft.
Include Filters
You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Level | Equal, MoreUrgentThan. | “Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure” | |
| LogName | Equal, In. | “System|Application|Key Management Service|Internet Explorer|Windows PowerShell” | “In” can have multiple comma or pipe separated vaues. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| SourceName | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| EventId | Equal, In, NotIn, RegexNotMatch. | “In” and “NotIn” can have multiple comma or pipe separated values. |
Note: Severity level “Critical” is not supported. LogSource only supports the event types listed by Microsoft.
Log Fields
You can configure Log Fields (tags) to send additional metadata with the logs.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer” | “Customer_XYZ” | |
| Dynamic(REGEX) | “Host” | “host=*” | The query will run on the message field. |
| LM Property(Token) | “Device” | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
| Windows Event Attribute | Event ID, LEVEL, LOG NAME, SOURCE NAME. | ||
| Dynamic Group Regex | “Scheme, Login” | “(https*):\/\/([]a-z]+)” | The query runs on the message field and captures the first group value from the regex. The keys for Dynamic Group Regex can be added as a comma separated list and values are read from same number of groups. For the key and value example provided in this table, the regex results in metadata for key and value, which is, Scheme and Login. For example, The URL: https://admin:[email protected]/lm/apps/agent/mfsagent:e1?status=Up Scheme: httpsLogin: admin (username extracted from the message)Note: The Dynamic Group Regex method for log fields is available in EA Collector 36.100 and later versions. |
Resource Mappings
Configure the LM log property to match a monitored resource.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer_Id” | “1234” | Text field, any value. |
| Dynamic(Regex) | “system.ServiceName” | “service=*” | The query will run on the message field. |
| LM Property(Token) | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
Note: “Key” and “Value” are mandatory items.
Example
Configuration example for a Windows Event Logging type of LogSource.
Basic Information
- Name: Windows_Events
- Description: Data collection for Windows Events logs from monitored Windows resources.
- AppliesTo (custom query): /* isWindows() */
- Type: LM Logs: Windows Event Logging
- Group: Windows Event Logs
Include Filters
| Attribute | Comparison operator | Value |
| LogName | In | System|Application |
Log Fields
| Method | Key | Value |
| Attribute | Level | Level |
| Attribute | Source | SourceName |
| Attribute | EventID | EventId |
| Attribute | Channel | LogName |
Resource Mapping
| Method | Key | Value |
| Token | system.deviceId | ##system.deviceId## |