Windows Event Log Source
yaml
## This is YAML, so structure and indentation is important.
## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
#####

sources:
  windowsEvents:
    type: wineventlog
    sink: logscaleSink
    channels:
      # Collect all from ForwardedEvents except EventID 900 and 903
      - name: ForwardedEvents
        excludeEventIDs: [900, 903]
      # Collect EventID's 4624, 4634 and 4672 from Security
      - name: Security
        onlyEventIDs: [4624, 4634, 4672]
      # Collect all events from System/Microsoft-Windows-NLB with level 1 and 2
      - name: System
        providers:
         - "Microsoft-Windows-NLB"
        levels: [1, 2]
      # Collect from Application using a XPath query
      - name: Application
        type: query
        query: *[System[Level<4] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]
      # Collect using cross-channel querying
      - name: CustomQueryXML
        type: query
        query: |
          <QueryList>
            <Query>
              <Select Path="Application">
                *[System[Level>0] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]
              </Select>
              <Suppress Path="Application">
                *[System[EventID=1004]]
              </Suppress>
            </Query>
          </QueryList>

    ## You can manually specify a parser to be used here.
    parser: microsoft-winevent

    transforms:
      - type: static_fields
        fields:
          role: "firewall"

    ## Set language to en-US
    language: 1033

    ## Overwrite default behaviour to exclude raw XML
    format: renderFieldsOnly

sinks:
  logscaleSink:
    type: logscale
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://your.logscale.cluster

Table: Windows Source

ParameterTypeRequiredDefault ValueDescription
channelssourcewineventlogchanneloptional[a]  

Specify the windows event log channels to read, if no channels are specified the log collector will subscribe to all available channels.

To learn more, see Windows Source: Filters and Customizations.

Important

Subscribing to all channels may impact performance as the amount of data logged would be very high.

formatwineventlogformatoptional[a]   Specifies the output format for Windows Event Log records. (added in 1.10)
   Values
   renderFieldsOnlyIncludes only the event fields
   renderFieldsWithXML
   xmlOnly
   xmlWithMessage
includeXMLbooleanoptional[a]   Includes XML in the source, when set to false to XML files are excluded from the source.
languageintegeroptional[a] 0

Specify the language for the event message, collected as @rawstring using Windows LCID language code. This only applies for rendering of the event message (no other values) and only for local events.

In the case of forwarded events the message is rendered locally by the Windows Event Forwarded, and when collected on the Windows Event Collector, the message is plain text to the LogScale Collector.

The default setting is 0, which corresponds to the previous behaviour, which is the active language on the host.

parserstringoptional[a]   Specify the parser within LogScale to use to parse the logs, if you install the parser through a package you must specify the type and name as displayed on the parsers page for example linux/system-logs:linux-filebeat. If a parser has been assigned to the ingest token you are using this will be ignored.
sinkstringrequired   Name of the configured sink that will receive the collected events.
transformstransformoptional[a]   Specify transforms to use for this source (optional), if static_field is specified you must specify a key and a value which can be an environment variable for example myenvvar:$MY_ENV_VAR
typewineventlogrequired   The sources block configures the sources of data that the log collector will send to Falcon LogScale.

[a] Optional parameters use their default value unless explicitly set.