Windows Event Log Source

Example
yaml
sources:
  windowsEvents:
    type: wineventlog
    sink: logscaleSink
    channels:
      - name: ForwardedEvents
        excludeEventIDs: [900, 903]
      - name: Security
        onlyEventIDs: [4624, 4634, 4672]
      - name: System
        providers:
          - "Microsoft-Windows-NLB"
        levels: [1, 2]
      - name: Application
        type: query
        query: '*[System[Level<4] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]'
      - name: CustomQueryXML
        type: query
        query: |
          <QueryList>
            <Query id="0" Path="Application">
              <Select Path="Application">
                *[System[Level>0] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]
              </Select>
              <Suppress Path="Application">
                *[System[EventID=1004]]
              </Suppress>
            </Query>
          </QueryList>
          
  parser: microsoft-winevent
  transforms:
   - type: static_fields
    fields:
    role: "firewall"
  language: 1033
  format: renderFieldsOnly
sinks:
 logscaleSink:
  type: logscale
  token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
  url: https://your.logscale.cluster
Introduction

This configuration collects Windows Event Logs using variety of filters, including specific event IDs, providers, and XPath/XML queries.

Step-by-Step
  1. yaml
    sources:
  windowsEvents:
    type: wineventlog
    sink: logscaleSink
    channels:
      - name: ForwardedEvents
        excludeEventIDs: [900, 903]
      - name: Security
        onlyEventIDs: [4624, 4634, 4672]
      - name: System
        providers:
          - "Microsoft-Windows-NLB"
        levels: [1, 2]
      - name: Application
        type: query
        query: '*[System[Level<4] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]'
      - name: CustomQueryXML
        type: query
        query: |
          <QueryList>
            <Query id="0" Path="Application">
              <Select Path="Application">
                *[System[Level>0] and System/Provider[@Name="Microsoft-Windows-Security-SPP"]]
              </Select>
              <Suppress Path="Application">
                *[System[EventID=1004]]
              </Suppress>
            </Query>
          </QueryList>

    This fragment defines a Windows Event Log source with a variety of filters, including channel- based selection, provider-level filtering, and XPath/XML queries to capture precise event sets.

  2. yaml
    parser: microsoft-winevent
  transforms:
   - type: static_fields
    fields:
    role: "firewall"
  language: 1033
  format: renderFieldsOnly

    This fragment defines optional settings for Windows Event Log source, including a custom parser, static field enrichment, language setting, and output formatting.

  3. yaml
    sinks:
 logscaleSink:
  type: logscale
  token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
  url: https://your.logscale.cluster

    This fragments configures a token-authenticated LogScale sink that recieves log events from Windows Event Log Pipeline.

  4. Event Result set.

Summary and Results

This example configures a Windows Event Log source with filtered channels, optional parsing, field enrichment, and a token-authenticated LogScale sink.