Win 32 event log

Supported OS Windows

Integrationv2.13.1

Overview

The Win 32 event log check watches for Windows Event Logs and forwards them to Datadog. Enable this check to:

  • Track system and application events in Datadog.
  • Correlate system and application events with the rest of your application.

Setup

Installation

The Windows Event Log check is included in the Datadog Agent package. There is no additional installation required.

Configuration

  1. Edit the win32_event_log.d/conf.yaml in the conf.d/ folder at the root of your Agent’s configuration directory. See the sample win32_event_log.d/conf.yaml for all available configuration options.

  2. Restart the Agent to start sending Windows events to Datadog.

Note: Events and logs are configured separately. Logs are not configured within each instance. See log collection, below, for configuring log collection.

Log collection

First ensure that you have set logs_enabled: true in your datadog.yaml file.

To collect logs from specific Windows events, add channels to the conf.d/win32_event_log.d/conf.yaml file manually, or use the Datadog Agent Manager. See the Windows Event Logs documentation.

To see a list of channels, run the following command in PowerShell:

Get-WinEvent -ListLog *

To see the most active channels, run the following command in PowerShell:

Get-WinEvent -ListLog * | sort RecordCount -Descending

This command displays channels in the format LogMode MaximumSizeInBytes RecordCount LogName. Example response:

LogMode MaximumSizeInBytes RecordCount LogName
Circular 134217728 249896 Security

The value under the column LogName is the name of the channel. In the above example, the channel name is Security.

Add channels to the logs section of your win32_event_log.d/conf.yaml configuration file. Each channel also requires an entry in the instances section of the file. This example shows entries for the Security and <CHANNEL_2> channels:

init_config:
instances:
  - path: Security 
    legacy_mode: false
    filters: {}

  - path: "<CHANNEL_2>" 
    legacy_mode: false
    filters: {}
logs:
  - type: windows_event
    channel_path: Security
    source: windows.events
    service: Windows

  - type: windows_event
    channel_path: "<CHANNEL_2>"
    source: "windows.events"
    service: myservice

Edit the <CHANNEL_X> parameters with the Windows channel name you want to collect events from. Set the corresponding source parameter to windows.events to benefit from the integration automatic processing pipeline.

Finally, restart the Agent.

Note: For the Security logs channel, add your Datadog Agent user to the Event Log Readers user group.

Filtering events

Use the Windows Event Viewer GUI to list all the event logs available for capture with this integration.

To determine the exact values, set your filters to use the following PowerShell command:

Get-WmiObject -Class Win32_NTLogEvent

For example, to see the latest event logged in the Security log file, use:

Get-WmiObject -Class Win32_NTLogEvent -Filter "LogFile='Security'" | select -First 1

The values listed in the output of the command can be set in win32_event_log.d/conf.yaml to capture the same kind of events.

The information given by the Get-EventLog PowerShell command or the Windows Event ViewerGUI may slightly differ from Get-WmiObject.
Double-check your filters' values with Get-WmiObject if the integration doesn't capture the events you set up.
  1. Configure one or more filters for the event log. A filter allows you to choose what log events you want to get into Datadog.

    Filter on the following properties:

    • type: Warning, Error, Information
    • log_file: Application, System, Setup, Security
    • source_name: Any available source name
    • user: Any valid user name

    For each filter, add an instance in the configuration file at win32_event_log.d/conf.yaml.

    Some example filters:

    - type: windows_event
      channel_path: Security
      source: windows.events
      service: Windows       
      log_processing_rules:
      - type: include_at_match
        name: relevant_security_events
        pattern: .*(?i)eventid.+(1102|4624|4625|4634|4648|4728|4732|4735|4737|4740|4755|4756)
    
    - type: windows_event
      channel_path: Security
      source: windows.events
      service: Windows       
      log_processing_rules:
      - type: exclude_at_match
        name: relevant_security_events
        pattern: \"EventID\":\"1102\"|\"4624\"t\"
    
    - type: windows_event
      channel_path: System
      source: windows.events
      service: Windows       
      log_processing_rules:
      - type: include_at_match
        name: system_errors_and_warnings
        pattern: .*(?i)level.+((?i)(warning|error))
    
    - type: windows_event
      channel_path: Application
      source: windows.events
      service: Windows       
      log_processing_rules:
      - type: include_at_match
        name: application_errors_and_warnings
        pattern: .*(?i)level.+((?i)(warning|error))
    
    instances:
      # The following captures errors and warnings from SQL Server which
      # puts all events under the MSSQLSERVER source and tag them with #sqlserver.
      - tags:
          - sqlserver
        type:
          - Warning
          - Error
        log_file:
          - Application
        source_name:
          - MSSQLSERVER
    
      # This instance captures all system errors and tags them with #system.
      - tags:
          - system
        type:
          - Error
        log_file:
          - System
    
  2. Restart the Agent using the Agent Manager (or restart the service).

For more examples of filtering logs, see the Advanced Log Collection documentation.

Filtering by EventID

Here is an example regex pattern to only collect Windows Events Logs from a certain EventID:

logs:
  - type: windows_event
    channel_path: Security
    source: windows.event
    service: Windows
    log_processing_rules:
      - type: include_at_match
        name: include_x01
        pattern: \"value\":\"(101|201|301)\"

Note: the pattern may vary based on the format of the logs

Validation

Check the info page in the Datadog Agent Manager or run the Agent’s status subcommand and look for win32_event_log under the Checks section. It should display a section similar to the following:

Checks
======

  [...]

  win32_event_log
  ---------------
      - instance #0 [OK]
      - Collected 0 metrics, 2 events & 1 service check

Data Collected

Metrics

The Win32 Event log check does not include any metrics.

Events

All Windows events are forwarded to Datadog.

Service Checks

The Win32 Event log check does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.

Further Reading

Documentation

Blog