Skip to content

Windows Event

Windows Event Log Collection is used to collect applications, security, systems and so on.

Configuration

Preconditions

  • Windows version >= Windows Server 2008 R2

Collector Configuration

Go to the conf.d/samples directory under the DataKit installation directory, copy windows_event.conf.sample and name it windows_event.conf. Examples are as follows:

[[inputs.windows_event]]
  xpath_query = '''
  <QueryList>
    <Query Id="0" Path="Security">
      <Select Path="Security">*</Select>
      <Suppress Path="Security">*[System[( (EventID &gt;= 5152 and EventID &lt;= 5158) or EventID=5379 or EventID=4672)]]</Suppress>
    </Query>
    <Query Id="1" Path="Application">
      <Select Path="Application">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="2" Path="Windows PowerShell">
      <Select Path="Windows PowerShell">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="3" Path="System">
      <Select Path="System">*</Select>
    </Query>
    <Query Id="4" Path="Setup">
      <Select Path="Setup">*</Select>
    </Query>
  </QueryList>
  '''

  # event_fetch_size is the number of events to fetch per query.
  event_fetch_size = 5

  [inputs.windows_event.tags]
  # some_tag = "some_value"
  # more_tag = "some_other_value"
  # ...

After configuration, restart DataKit.

Logging

For all of the following data collections, a global tag named host is appended by default (the tag value is the host name of the DataKit), or other tags can be specified in the configuration through [inputs.windows_event.tags]:

 [inputs.windows_event.tags]
  # some_tag = "some_value"
  # more_tag = "some_other_value"
  # ...

windows_event

Tags & Fields Description
channel Channel
Type: string
Unit: N/A
computer Computer
Type: string
Unit: N/A
event_id Event ID
Type: string
Unit: N/A
event_record_id Event record ID
Type: string
Unit: N/A
event_source Windows event source
Type: string
Unit: N/A
keyword Keyword
Type: string
Unit: N/A
level Level
Type: string
Unit: N/A
message Event content
Type: string
Unit: N/A
process_id Process ID
Type: int
Unit: N/A
status Log level
Type: string
Unit: N/A
task Task category
Type: string
Unit: N/A
total_message Full text of the event
Type: string
Unit: N/A
version Version
Type: string
Unit: N/A

Feedback

Is this page helpful? ×