The value under the column LogName is the name of the channel. In the example above, the channel name is Security.
Windows Event Viewer
To find the channel name for an Event Log in the Windows Event Viewer, open the Event Log Properties window and refer to the Full Name field. In the following example, the channel name is Microsoft-Windows-Windows Defender/Operational.
Event collection
To collect Windows Event Logs as Datadog events, configure channels under the instances: section of your win32_event_log.d/conf.yaml configuration file.
The Datadog Agent can be configured to collect Windows Event Logs as Datadog events in two ways. Each method has its own configuration syntax for channels and for filters (see Filtering Events).
The latest method uses the Event Log API. Datadog recommends using the Event Log API because it has better performance than the legacy method below.
To use the Event Log API collection method, set legacy_mode: false in each instance. If legacy_mode: false is set, the path is required to be set in the \win32_event_log.d\conf.yaml file.
This example shows entries for the Security and <CHANNEL_2> channels:
init_config:instances:- # Event Log API path:Securitylegacy_mode:falsefilters:{}- path:"<CHANNEL_2>"legacy_mode:falsefilters:{}
The legacy method uses WMI and is the default mode for an instance.
If legacy_mode is not set or set to true, then at least one of the following filters must be set: source_name, event_id, message_filters, log_file, or type.
This example shows entries for the Security and <CHANNEL_2> channels:
Log collection is disabled by default in the Datadog Agent. To collect Windows Event Logs as Datadog logs, activate log collection by setting logs_enabled: true in your datadog.yaml file.
To collect Windows Event Logs as Datadog logs, configure channels under the logs: section of your win32_event_log.d/conf.yaml configuration file. This example shows entries for the Security and <CHANNEL_2> channels:
The values listed in the output of the command can be set in win32_event_log.d/conf.yaml to capture the same kind of events.
The information given by the Get-EventLog PowerShell command or the Windows Event ViewerGUI may slightly differ from Get-WmiObject. Double check your filters' values with Get-WmiObject if the integration does not capture the events you set up.
The Datadog Agent can be configured to collect Windows Event Logs as Datadog events in two ways. Each method has its own configuration syntax for filters. See the sample win32_event_log.d/conf.yaml for all available filter options for respective modes.
Datadog recommends using the latest method for filters.
instances:# Default# The following captures errors and warnings from SQL Server which# puts all events under the MSSQLSERVER source and tag them with #sqlserver.- tags:- sqlservertype:- Warning- Errorlog_file:- Applicationsource_name:- MSSQLSERVER# This instance captures all system errors and tags them with #system.- tags:- systemtype:- Errorlog_file:- System
For each filter, add a log processing rule in the configuration file at win32_event_log.d/conf.yaml.
Legacy Provider EventIDs have a Qualifiers attribute that changes the format of the log, as seen in the Windows Event Schema. These events have the following XML format, visible in Windows Event Viewer:
<EventIDQualifiers="16384">3</EventID>
The following regex must be used to match these EventIDs:
Agent versions 7.41 or later normalize the EventID field. This removes the need for the substring, (?:{"value":)?, from legacy pattern as it is no longer applicable. A shorter regex pattern can be used from versions 7.41 or later as seen below: