New announcements for Serverless, Network, RUM, and more from Dash! New announcements from Dash!

Win 32 event log

Agent Check Agent Check

Supported OS: Windows


The Win 32 event log check watches for Windows Event Logs and forwards them to Datadog. Enable this check to:

  • Track system and application events in Datadog.
  • Correlate system and application events with the rest of your application.



The Windows Event Log check is included in the Datadog Agent package. There is no additional installation required.


  1. Edit the win32_event_log.d/conf.yaml in the conf.d/ folder at the root of your Agent’s configuration directory. See the sample win32_event_log.d/conf.yaml for all available configuration options.

  2. Restart the Agent to start sending Windows events to Datadog.

Log collection

To collect logs from specific Windows events, add the channels to the conf.d/win32_event_log.d/conf.yaml file manually, or via the Datadog Agent Manager.

To see the channel list, run the following command in a PowerShell:

Get-WinEvent -ListLog *

To see the most active channels, run the following command in a PowerShell:

Get-WinEvent -ListLog * | sort RecordCount -Descending

This command displays channels in the format LogMode MaximumSizeInBytes RecordCount LogName. Example response:

LogMode MaximumSizeInBytes RecordCount LogName
Circular 134217728 249896 Security

The value under the column LogName is the name of the channel. In the above example, the channel name is Security.

Then add the channels in your win32_event_log.d/conf.yaml configuration file:

  - type: windows_event
    channel_path: <CHANNEL_1>
    source: <CHANNEL_1>
    service: myservice
    sourcecategory: windowsevent

  - type: windows_event
    channel_path: <CHANNEL_2>
    source: <CHANNEL_2>
    service: myservice
    sourcecategory: windowsevent

Edit the <CHANNEL_X> parameters with the Windows channel name you want to collect events from. Set the corresponding source parameter to the same channel name to benefit from the integration automatic processing pipeline.

Finally, restart the Agent.

Note: For the Security logs channel, make sure that your Datadog Agent user is added to the Event Log Readers list.


Use the Windows Event Viewer GUI to list all the event logs available for capture with this integration.

To determine the exact values, set your filters to use the following PowerShell command:

Get-WmiObject -Class Win32_NTLogEvent

For instance, to see the latest event logged in the Security LogFile, use:

Get-WmiObject -Class Win32_NTLogEvent -Filter "LogFile='Security'" | select -First 1

The values listed in the output of the command can be set in win32_event_log.yaml to capture the same kind of events.

The information given by the Get-EventLog PowerShell command or the Windows Event ViewerGUI may slightly differ from Get-WmiObject.
Double-check your filters' values with Get-WmiObject if the integration doesn't capture the events you set up.

1 - Configure one or more filters for the event log. A filter allows you to choose what log events you want to get into Datadog.

Filter on the following properties:

  • type: Warning, Error, Information
  • log_file: Application, System, Setup, Security
  • source_name: Any available source name
  • user: Any valid user name

For each filter, add an instance in the configuration file at conf.d/win32_event_log.yaml.

Some example filters:

    # The following captures errors and warnings from SQL Server which
    # puts all events under the MSSQLSERVER source and tag them with #sqlserver.
    -   tags:
            - sqlserver
            - Warning
            - Error
            - Application
            - MSSQLSERVER

    # This instance captures all system errors and tags them with #system.
    -   tags:
            - system
            - Error
            - System

2 - Restart the Agent using the Agent Manager (or restart the service)


Check the info page in the Datadog Agent Manager or run the Agent’s status subcommand and look for win32_event_log under the Checks section. It should display a section similar to the following:



      - instance #0 [OK]
      - Collected 0 metrics, 2 events & 1 service check

Data Collected


The Win32 Event log check does not include any metrics.


All Windows Event are forwarded to your Datadog application.

Service Checks

The Win32 Event log check does not include any service checks.


Need help? Contact Datadog support.

Further Reading



Mistake in the docs? Feel free to contribute!