Windows Events Logs
Introduction
The Windows Event Logs Monitor offers comprehensive visibility into the health, security, and performance of Windows servers.
Getting Started
Compatibility
The Event Logs metricsets were tested with Windows Server 22 and are expected to work with all the versions mentioned.
Data Collection Method
VuNet's EventLogbeat agent is used to collect Windows Event Logs including the System, Application, Security, Microsoft-Windows-Sysmon/Operational, Windows PowerShell, Microsoft-Windows-PowerShell/Operational, Forwarded Events Logs.
Prerequisites
Inputs for Configuring Data Source
- Host: The IP Address or FQDN of the Windows server.
Select Event Logs
- Ignore Time (in hours): It will ignore any files that were modified before the specified timespan.
- Select Event Logs Type: Different types of event logs to be collected. Select one of the type from the dropdown.
Firewall Requirement
To collect data from this O11ySource, ensure the following ports are opened:
| Source IP | Destination IP | Destination Port | Protocol | Direction |
|---|---|---|---|---|
| Windows Server IP | vuSmartMaps Kafka Broker IP | 9092* | TCP | Inbound |
*Before providing the firewall requirements, please update the port based on the customer environment.
Configuring the Target
EventLogbeat agent should be installed and running in the source system/machine.
Configuration Steps
- Enable the Windows Event Logs O11ySource.
- Select the Sources tab and press the
+button to add a new Windows host to be monitored. - After configuring the datasources, click the
Save & Continueto download the agents - The following packages will be available for download based on the OS:EventLogbeat full installer package - Downloads the full EventLogbeat agent package with required configurations for a fresh installationEventLogbeat config update package - Downloads the agent configuration package to update an existing EventLogbeat installation
- Download the agent installation or update package, then click Finish to close the Source window.
Metrics Collected
| Name | Description | Data Type |
|---|---|---|
| log_level | The severity level of the log (e.g., INFO, WARN, ERROR). | LowCardinality(String) |
| timestamp | The timestamp of the log event with millisecond precision. | DateTime64(3) |
| message | The log message detailing the event. | String |
| host_name | The hostname of the system where the event was recorded. | LowCardinality(String) |
| vublock_name | The name of the virtual block or component associated with the event. | LowCardinality(String) |
| source_id | The identifier for the source of the log event. | String |
| winlog_provider_guid | The GUID of the provider responsible for the Windows log event. | String |
| winlog_keywords_0 | Keywords associated with the log event. | String |
| winlog_event_id | The event ID uniquely identifying the type of log event. | UInt16 |
| winlog_opcode | The operation code describing the type of operation logged. | LowCardinality(String) |
| winlog_record_id | The record ID of the log entry in the Windows Event Log. | UInt64 |
| winlog_task | The task category of the event, providing additional context. | String |
| winlog_event_data_LogonProcessName | The name of the logon process associated with the event. | String |
| winlog_event_data_TargetUserName | The target username involved in the event. | String |
| winlog_event_data_WorkstationName | The workstation name associated with the event. | String |
| winlog_event_data_SubjectUserSid | The security identifier (SID) of the subject user. | String |
| winlog_event_data_ImpersonationLevel | The impersonation level used during the event. | String |
| winlog_event_data_VirtualAccount | Indicates whether a virtual account was used. | String |
| winlog_event_data_SubjectDomainName | The domain name of the subject user. | String |
| winlog_event_data_KeyLength | The length of the encryption key used, if applicable. | UInt8 |
| winlog_event_data_RestrictedAdminMode | Indicates if restricted admin mode was used. | String |
| winlog_event_data_TargetLogonId | The logon ID of the target user. | String |
| winlog_event_data_LmPackageName | The LM package name used during authentication. | String |
| winlog_event_data_ProcessName | The name of the process associated with the event. | String |
| winlog_event_data_TargetOutboundDomainName | The domain name for outbound connections of the target user. | String |
| winlog_event_data_IpAddress | The IP address associated with the event. | String |
| winlog_event_data_TargetUserSid | The SID of the target user. | String |
| winlog_event_data_TargetLinkedLogonId | The linked logon ID for the target user. | String |
| winlog_event_data_TargetDomainName | The domain name of the target user. | LowCardinality(String) |
| winlog_event_data_TargetOutboundUserName | The username for outbound connections of the target user. | LowCardinality(String) |
| winlog_event_data_AuthenticationPackageName | The authentication package used during logon. | String |
| winlog_event_data_LogonGuid | The globally unique identifier (GUID) for the logon session. | String |
| winlog_event_data_SubjectLogonId | The logon ID of the subject user. | String |
| winlog_event_data_SubjectUserName | The username of the subject user. | String |
| winlog_event_data_ProcessId | The process ID associated with the event. | String |
| winlog_event_data_ElevatedToken | Indicates if an elevated token was used during the event. | String |
| winlog_event_data_LogonType | The type of logon performed (e.g., interactive, remote). | UInt8 |
| winlog_event_data_TransmittedServices | The services transmitted during the event. | String |
| winlog_event_data_FailureReason | The reason for failure, if the event was unsuccessful. | String |
| winlog_event_data_IpPort | The port associated with the IP address in the event. | String |
| winlog_event_data_Status | The status of the event (e.g., success, failure). | String |
| winlog_api | The API associated with the Windows log event. | String |
| winlog_activity_id | The activity ID associated with the event. | String |
| winlog_version | The version of the event log entry. | UInt8 |
| winlog_channel | The channel of the Windows Event Log (e.g., Security, Application). | LowCardinality(String) |
| winlog_process_pid | The process ID of the process generating the event. | UInt32 |
| winlog_process_thread_id | The thread ID of the process generating the event. | UInt32 |
| winlog_computer_name | The computer name where the event was generated. | LowCardinality(String) |
| winlog_provider_name | The name of the provider generating the event. | LowCardinality(String) |
| event_created | The timestamp when the event was created, with millisecond precision. | DateTime64(3) |
| event_code | The event code providing further classification of the event type. | UInt16 |
| event_kind | The kind of event (e.g., alert, informational). | LowCardinality(String) |
| event_provider | The provider responsible for the event. | LowCardinality(String) |
| event_outcome | The outcome of the event (e.g., success, failure). | String |
| event_action | The action associated with the event. | String |
| winlog_event_description | A description of the event. | LowCardinality(String) |
| winlog_event_source | The source of the event. | LowCardinality(String) |
