Skip to main content

Windows Event Log Monitor

Joel Mora
  • Updated

The Windows Event Log monitor uploads messages from the Windows Event Log to the DataSet servers. It can listen to multiple different event sources and also filter by messages of a certain type. View full documentation here

On Windows Vista and later, the Scalyr Agent can be configured to query events on any channel. See the Event log documentation for more details.

The following will configure the agent to listen to Critical (1), Error (2), Warning (3), and Information (4) Windows Loglevel events from the Application, Security and System channels:

monitors: [
  {
    module:                  "scalyr_agent.builtin_monitors.windows_event_log_monitor",
    channels: [
        { "channel": [ "Application", "Security", "System" ],
          "query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3 or System/Level=4]"
        }
    ]
  }
]


Alternatively, here is a configuration that will log Critical (1) errors for the Application channel, and Critical (1), Error (2), and Warning (3), messages for the System and Security channels.

monitors: [
  {
    module:                  "scalyr_agent.builtin_monitors.windows_event_log_monitor",
    channels: [
        { "channel": ["Application"],
          "query": "*[System/Level=1]"
        },
        {
          "channel": ["Security", "System" ],
          "query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3]"
        }
    ]
  }
]

 

Adding Log Files

You can add different log files from Windows Event Log easily. 

 

Steps:

1. Navigate to File in EventViewer

mceclip0.png

2. Copy the Full Name

Pasted_Image_3_26_22__12_43_AM.png

3. Paste in config

C:\Program Files (x86)\scalyr\config\agent.json
monitors: [
   {
      module: "scalyr_agent.builtin_monitors.windows_event_log_monitor",
      channels: [
          { 
             "channel": [ "Application", "Security", "System", "Microsoft-Windows-AAD/Operational","TerminalServices-RDPClient/Operational", "TerminalServices-RemoteConnectionManager/Operational", "RemoteDesktopServices-RDPCoreTS /Operational", "TerminalServices-LocalSessionManager/Operational","TerminalServices-LocalSessionManager/Operational" ],
             "query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3 or System/Level=4]"
          }
     ]
  }
]

On versions of Windows prior to Vista, the older EventLog API is used. This API is unable to retrieve 'Critical' events because this event type was only introduced in Vista.


On versions of Windows from Vista onwards, the newer Evt API is used which can be used to retrieve 'Critical' events.


Continue to Streaming Log Files

 

Related articles

Comments

0 comments

Please sign in to leave a comment.