The Windows Event Log monitor uploads messages from the Windows Event Log to the DataSet servers. It can listen to multiple different event sources and also filter by messages of a certain type. View full documentation here
On Windows Vista and later, the Scalyr Agent can be configured to query events on any channel. See the Event log documentation for more details.
The following will configure the agent to listen to Critical (1), Error (2), Warning (3), and Information (4) Windows Loglevel events from the Application, Security and System channels:
monitors: [ { module: "scalyr_agent.builtin_monitors.windows_event_log_monitor", channels: [ { "channel": [ "Application", "Security", "System" ], "query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3 or System/Level=4]" } ] } ]
Alternatively, here is a configuration that will log Critical (1) errors for the Application channel, and Critical (1), Error (2), and Warning (3), messages for the System and Security channels.
monitors: [ { module: "scalyr_agent.builtin_monitors.windows_event_log_monitor", channels: [ { "channel": ["Application"], "query": "*[System/Level=1]" }, { "channel": ["Security", "System" ], "query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3]" } ] } ]
Adding Log Files
You can add different log files from Windows Event Log easily.
Steps:
1. Navigate to File in EventViewer
2. Copy the Full Name
3. Paste in config
C:\Program Files (x86)\scalyr\config\agent.json
monitors: [
{
module: "scalyr_agent.builtin_monitors.windows_event_log_monitor",
channels: [
{
"channel": [ "Application", "Security", "System", "Microsoft-Windows-AAD/Operational","TerminalServices-RDPClient/Operational", "TerminalServices-RemoteConnectionManager/Operational", "RemoteDesktopServices-RDPCoreTS /Operational", "TerminalServices-LocalSessionManager/Operational","TerminalServices-LocalSessionManager/Operational" ],
"query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3 or System/Level=4]"
}
]
}
]
On versions of Windows prior to Vista, the older EventLog API is used. This API is unable to retrieve 'Critical' events because this event type was only introduced in Vista.
On versions of Windows from Vista onwards, the newer Evt API is used which can be used to retrieve 'Critical' events.
Continue to Streaming Log Files
Comments
0 comments
Please sign in to leave a comment.