Win 32 event log

Win 32 event log

Agent Check Agent Check

Supported OS Windows



The Win 32 event log check watches for Windows Event Logs and forwards them to Datadog. Enable this check to:

  • Track system and application events in Datadog.
  • Correlate system and application events with the rest of your application.



The Windows Event Log check is included in the Datadog Agent package. There is no additional installation required.


  1. Edit the win32_event_log.d/conf.yaml in the conf.d/ folder at the root of your Agent’s configuration directory. See the sample win32_event_log.d/conf.yaml for all available configuration options.

  2. Restart the Agent to start sending Windows events to Datadog.

Note: Events and logs are configured separately. Logs are not configured within each instance. See log collection, below, for configuring log collection.

Log collection

First ensure that you have set logs_enabled: true in your datadog.yaml file.

To collect logs from specific Windows events, add the channels to the conf.d/win32_event_log.d/conf.yaml file manually, or use the Datadog Agent Manager.

To see the channel list, run the following command in a PowerShell:

Get-WinEvent -ListLog *

To see the most active channels, run the following command in a PowerShell:

Get-WinEvent -ListLog * | sort RecordCount -Descending

This command displays channels in the format LogMode MaximumSizeInBytes RecordCount LogName. Example response:

LogMode MaximumSizeInBytes RecordCount LogName
Circular 134217728 249896 Security

The value under the column LogName is the name of the channel. In the above example, the channel name is Security.

Then add the channels in your win32_event_log.d/conf.yaml configuration file:

  - type: windows_event
    channel_path: "<CHANNEL_1>"
    source: ""
    service: myservice

  - type: windows_event
    channel_path: "<CHANNEL_2>"
    source: ""
    service: myservice

Edit the <CHANNEL_X> parameters with the Windows channel name you want to collect events from. Set the corresponding source parameter to to benefit from the integration automatic processing pipeline.

Finally, restart the Agent.

Note: For the Security logs channel, add your Datadog Agent user to the Event Log Readers user group.

Filtering events

Use the Windows Event Viewer GUI to list all the event logs available for capture with this integration.

To determine the exact values, set your filters to use the following PowerShell command:

Get-WmiObject -Class Win32_NTLogEvent

For example, to see the latest event logged in the Security log file, use:

Get-WmiObject -Class Win32_NTLogEvent -Filter "LogFile='Security'" | select -First 1

The values listed in the output of the command can be set in win32_event_log.d/conf.yaml to capture the same kind of events.

The information given by the Get-EventLog PowerShell command or the Windows Event ViewerGUI may slightly differ from Get-WmiObject.
Double-check your filters' values with Get-WmiObject if the integration doesn't capture the events you set up.
  1. Configure one or more filters for the event log. A filter allows you to choose what log events you want to get into Datadog.

    Filter on the following properties:

    • type: Warning, Error, Information
    • log_file: Application, System, Setup, Security
    • source_name: Any available source name
    • user: Any valid user name

    For each filter, add an instance in the configuration file at win32_event_log.d/conf.yaml.

    Some example filters:

      # The following captures errors and warnings from SQL Server which
      # puts all events under the MSSQLSERVER source and tag them with #sqlserver.
      - tags:
          - sqlserver
          - Warning
          - Error
          - Application
          - MSSQLSERVER
      # This instance captures all system errors and tags them with #system.
      - tags:
          - system
          - Error
          - System
  2. Restart the Agent using the Agent Manager (or restart the service).


Check the info page in the Datadog Agent Manager or run the Agent’s status subcommand and look for win32_event_log under the Checks section. It should display a section similar to the following:



      - instance #0 [OK]
      - Collected 0 metrics, 2 events & 1 service check

Data Collected


The Win32 Event log check does not include any metrics.


All Windows events are forwarded to your Datadog application.

Service Checks

The Win32 Event log check does not include any service checks.


Need help? Contact Datadog support.

Further Reading