Windows Source: Filters and Customizations
Key Features:

  • Channel Selection: You can specify which event log channels to collect from. If not specified, it collects from all channels.

  • Event Filtering:

    • By Event ID: Include or exclude specific event IDs

    • By Level: Filter events based on their severity level

    • By Provider: Collect events from specific event providers

    • By XPath and XML query

  • Event format: Option to include the full XML representation of each event.

  • Language Customization: Ability to specify the rendering language using Windows LCID language codes.

  • Transformations and Parsing: Supports applying transformations to events and specifying a parser for further processing.

Select Channels

The channels property specifies the list of channels to collect. If channels is not defined, all channels will be collected. To get the list of available channels on your system run the following PowerShell command: 

Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc

A channel can be configured in one of three ways or using a combination of the three methods.

Simple Channel

Simple Channel Configuration parameters:

  • type: simple (optional, as it's the default)

  • name: Name of the Windows Event Log channel (required)

  • onlyEventIDs: List of event IDs to collect (optional, collects all if not specified)

  • excludeEventIDs: List of event IDs to exclude (optional)

  • levels: List of levels to collect (optional, collects all if not specified)

  • providers: List of providers to collect from (optional, collects from all if not specified) 

channels:
  - name: Security
    levels: [1, 2, 3]  # Critical, Error, Warning
    onlyEventIDs: [4624, 4625, 4634]
    providers: ["Microsoft-Windows-Security-Auditing"]
XPath Query Channel

XPath Query Channel Configuration:

  • type: query (required)

  • name: The name of the channel to collect

  • query: XPath

yaml
channels:
  - name: Application
    type: query
    query: |
      *[System[Provider[@Name='Microsoft-Windows-Kernel-PnP'] and
        (EventID=219 or EventID=220 or EventID=221 or EventID=224)]]
XML Query Channel

XML Query Channel Configuration:

  • type: query (required)

  • name: Name of the query (used for @collector.channel)

  • query: XML query string (required) 

channels:
  - name: CustomQuery
    type: query
    query: |
        <QueryList>
          <Query Id="0">
            <Select Path="Security">
              *[System[(EventID=4624 or EventID=4625 or EventID=4634)]]
            </Select>
            <Select Path="Application">
              *[System[(Level=1 or Level=2)]]
            </Select>
            <Select Path="System">
              *[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=41 or EventID=1074)]]
            </Select>
            <Suppress Path="Security">
              *[System[EventID=4624] and
                EventData[Data[@Name='LogonType']='5']]
            </Suppress>
          </Query>
        </QueryList>
Multiple filters

Additionally you can use a combination of the selection methods.

yaml
channels:
  - name: Application
    levels: [1, 2]  # Critical and Error
  - name: System
  - name: Security
    type: query
    query: "*[System[...]]"