Windows Event Logging LogSource Configuration

LogSource is a LogicModule that provides streamlined log data collection, forwarding, and parsing. It contains predefined templates that simplify the process of enabling LM Logs and configuring log ingestion. LogSource enables you specify which logs to collect, their sources, and the key fields for parsing, and includes a wide range of common log sources.

LogSource is the recommended method to collect logs because it requires fewer system resources. 

The following describes configuration details specific to the Windows Event Logging type of LogSource. For general information on how to add a LogSource, see LogSource Configuration.

Exclude Filters

When configuring LogSource, you can filter log collection by using the following Exclude Filter parameters. Utilizing these parameters helps you remove unnecessary data and enhances the performance of your environment. 

Attributes	Comparison operator	Value example	Description
Level	Equal, MoreUrgentThan.	“Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure”
LogName	Equal, In.	“System|Application|Key Management Service|Internet Explorer|Windows PowerShell”	“In” and “NotIn” can have multiple comma or pipe separated values.
Message	Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.		The Value field is disabled if you select “Exist” or “NotExist”.
SourceName	Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.		The Value field is disabled if you select “Exist” or “NotExist”.
EventId	Equal, In, NotIn, RegexNotMatch.		“In” and “NotIn” can have multiple comma or pipe separated values.

Include Filters

When configuring LogSource, you can add Include Filter parameters to include certain types of resources, such as applications. The data that matches the filter criteria will be forwarded to the log ingestion process.

Attributes	Comparison operator	Value example	Description
Level	Equal, MoreUrgentThan.	“Error”, “Warning”, “Information”, “Security Audit Success”, and “Security Audit Failure”
LogName	Equal, In.	“System|Application|Key Management Service|Internet Explorer|Windows PowerShell”	“In” can have multiple comma or pipe separated vaues.
Message	Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.		The Value field is disabled if you select “Exist” or “NotExist”.
SourceName	Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.		The Value field is disabled if you select “Exist” or “NotExist”.
EventId	Equal, In, NotIn, RegexNotMatch.		“In” and “NotIn” can have multiple comma or pipe separated values.

Log Fields

You can configure Log Fields (tags) to send additional metadata with the logs.

Method	Key example	Value example	Description
Static	“Customer”	“Customer_XYZ”
Dynamic(REGEX)	“Host”	“host=*”	The query will run on the message field.
LM Property(Token)	“Device”	“##system.deviceId##”	The DeviceID extracted from the existing device property in LogicMonitor.
Windows Event Attribute		Event ID, LEVEL, LOG NAME, SOURCE NAME.
Dynamic Group Regex	“Scheme, Login”	“(https*):\/\/([]a-z]+)”	The query runs on the message field and captures the first group value from the regex. The keys for Dynamic Group Regex can be added as a comma separated list and values are read from same number of groups. For the key and value example provided in this table, the regex results in metadata for key and value, which is, Scheme and Login. For example, The URL: https://admin:[email protected]/lm/apps/agent/mfsagent:e1?status=Up Scheme: https Login: admin (username extracted from the message) Note: The Dynamic Group Regex method for log fields is available in EA Collector 36.100 and later versions.

Resource Mappings

When configuring LogSource, you can configure the resource mappings to match LM log properties with the relevant monitored resources to ensure accurate data collection. Use these mappings to reduce manual setup and apply consistent labels and fields to logs.

Method	Key example	Value example	Description
Static	“Customer_Id”	“1234”	Text field, any value.
Dynamic(Regex)	“system.ServiceName”	“service=*”	The query will run on the message field.
LM Property(Token)		“##system.deviceId##”	The DeviceID extracted from the existing device property in LogicMonitor.

Requirements for Configuring the Windows Event Logging LogSource

To configure LogSource for Windows Event Logging, you need the following:

• LM Collector — Windows Event Logs use the LM Collector. For details, see About the LogicMonitor Collector.
• Define Windows Event Channels — To use LogSource, you must define Windows Event Channels to help categorize logs based on their source. 

Configuring a Windows Event Logging LogSource

1. In the LogicMonitor navigation menu, select Modules.
2. Add a new LogSource, or edit an existing one, in My Module Toolbox. For more information, see Custom Module Creation and Modules Management.
3. In the Info tab, do the following:
   1. In the Name field, enter “Windows_Events”.
   2. In the Description field, enter the following: “Data collection for Windows Events logs from monitored Windows resources.”
   3. In the Type field, select LM Logs: Windows Event Logging.
   4. In the Group field, select Windows Event Logs.
4. Select the AppliesTo tab and enter the appropriate AppliesTo formula for applying to relevant devices.
   For example, system.deviceId == “13581” || system.deviceId == “1894”
5. Select the IncludeFilters tab.
6. Select Add Filters and add the following attribute:

Attribute	Comparison operator	Value
LogName	In	System|Application

7. Select the Log Fields tab.
8. Select Add Log Fields and ensure that the following methods are auto-filled:

Method	Key	Value
Attribute	Level	Level
Attribute	Source	SourceName
Attribute	EventID	EventId
Attribute	Channel	LogName

9. Select the Resource Mappings tab.
10. Select Add Resource Mappings and add the following method:

Method	Key	Value
Token	system.deviceId	##system.deviceId##

11. Select Save.