The Win 32 event log check watches for Windows Event Logs and forwards them to Datadog. Enable this check to:
The Windows Event Log check is included in the Datadog Agent package. There is no additional installation required.
win32_event_log.d/conf.yaml in the
conf.d/ folder at the root of your Agent’s configuration directory. This minimal file captures all events from localhost:
init_config: instances: - host: localhost
See the sample win32_event_log.d/conf.yaml for all available configuration options.
Restart the Agent to start sending Windows events to Datadog.
To collect logs from specific Windows events, add the channels to the
conf.d/win32_event_log.d/conf.yaml file manually, or via the Datadog Agent Manager.
To see the channel list, run the following command in a PowerShell:
Get-WinEvent -ListLog *
To see the most active channels, run the following command in a PowerShell:
Get-WinEvent -ListLog * | sort RecordCount -Descending
This command displays channels in the format
LogMode MaximumSizeInBytes RecordCount LogName. Example response:
LogMode MaximumSizeInBytes RecordCount LogName Circular 134217728 249896 Security
The value under the column
LogName is the name of the channel. In the above example, the channel name is
Then add the channels in your
win32_event_log.d/conf.yaml configuration file:
logs: - type: windows_event channel_path: <CHANNEL_1> source: <CHANNEL_1> service: myservice sourcecategory: windowsevent - type: windows_event channel_path: <CHANNEL_2> source: <CHANNEL_2> service: myservice sourcecategory: windowsevent
<CHANNEL_X> parameters with the Windows channel name you want to collect events from.
Set the corresponding
source parameter to the same channel name to benefit from the integration automatic processing pipeline.
Finally, restart the Agent.
Use the Windows Event Viewer GUI to list all the event logs available for capture with this integration.
To determine the exact values, set your filters to use the following PowerShell command:
Get-WmiObject -Class Win32_NTLogEvent
For instance, to see the latest event logged in the
Security LogFile, use:
Get-WmiObject -Class Win32_NTLogEvent -Filter "LogFile='Security'" | select -First 1
The values listed in the output of the command can be set in
win32_event_log.yaml to capture the same kind of events.
Get-EventLogPowerShell command or the Windows Event ViewerGUI may slightly differ from
Get-WmiObjectif the integration doesn't capture the events you set up.
1 - Configure one or more filters for the event log. A filter allows you to choose what log events you want to get into Datadog.
Filter on the following properties:
For each filter, add an instance in the configuration file at
Some example filters:
instances: # The following captures errors and warnings from SQL Server which # puts all events under the MSSQLSERVER source and tag them with #sqlserver. - tags: - sqlserver type: - Warning - Error log_file: - Application source_name: - MSSQLSERVER # This instance captures all system errors and tags them with #system. - tags: - system type: - Error log_file: - System
2 - Restart the Agent using the Agent Manager (or restart the service)
Check the info page in the Datadog Agent Manager or run the Agent’s
status subcommand and look for
win32_event_log under the Checks section. It should display a section similar to the following:
Checks ====== [...] win32_event_log --------------- - instance #0 [OK] - Collected 0 metrics, 2 events & 1 service check
The Win32 Event log check does not include any metrics.
All Windows Event are forwarded to your Datadog application.
The Win32 Event log check does not include any service checks.
Need help? Contact Datadog support.
Mistake in the docs? Feel free to contribute!