This topic describes how to create a Logtail configuration in the Simple Log Service console to collect the Windows event log.
Prerequisites
-
Logtail 1.0.0.0 or later is installed on your Windows server. For more information, see Install Logtail on a Windows server.
-
The source server continuously generates logs.
ImportantLogtail collects only incremental logs. If a log file is not updated after the Logtail configuration is applied, Logtail does not collect logs from that file. For more information, see Read log files.
How it works
To obtain event logs, Windows provides two APIs: Windows Event Log and Event Logging. The Windows Event Log API is an upgrade to the Event Logging API and is available only on Windows Vista and later. The Logtail plug-in automatically selects an API based on the operating system to obtain the Windows event log. Logtail preferentially selects the Windows Event Log API.
The Windows event log uses a publish-subscribe model. An application or the kernel publishes event logs to a specified channel, such as Application, Security, or System. Logtail uses the corresponding plug-in to call the Windows API and subscribe to these channels. This allows Logtail to continuously collect relevant event logs and send them to Simple Log Service.
Logtail supports collecting events from multiple channels simultaneously. For example, you can collect logs from the Application and System channels at the same time.
View channel information
You can view channel information in the Event Viewer on your Windows server.
-
Click Start.
-
Search for and open Event Viewer.
-
In the left-side navigation pane, expand Windows Logs or Applications and Services Logs.
-
View the full name and related information of the channel.
Windows logs
-
Under Windows Logs, select the target channel, right-click and select Properties to view the full name of the channel. Examples include:
-
Application
-
Security
-
Setup
-
System
-
-
Under Windows Logs, click the target channel to view information such as the event level, date and time, source, and event ID in the central pane.
You can use this information to filter logs in the Logtail configuration.
Applications and services logs
-
Under Applications and Services Logs, select the target channel, right-click and select Properties to view the full name of the channel. For example:
-
Channel name for TerminalServices-LocalSessionManager/Operational.
-
Channel name for PowerShell/Operational.
-
-
Procedure
Log on to the Simple Log Service console.
-
In the Import Data section, click Windows Event Logs.
-
Select the destination project and Logstore, and then click Next.
In the Machine Group Configurations step, configure a machine group.
Configure the Scenario and Installation Environment parameters as needed.
ImportantYou must configure the Scenario and Installation Environment parameters regardless of whether a machine group is available. The parameter settings affect subsequent configurations.
Ensure that a machine group is displayed in the Applied Server Groups section, and click Next.
Machine group available
Select a machine group from the Source Machine Group section.
No machine group available
Click Create Machine Group. In the Create Machine Group panel, configure the parameters. You can set the Machine Group Identifier parameter to IP Address or Custom Identifier. For more information, see Create a custom identifier-based machine group or Create an IP address-based machine group.
ImportantIf you apply a machine group immediately after you create the machine group, the heartbeat status of the machine group may be FAIL. This issue occurs because the machine group is not connected to Simple Log Service. To resolve this issue, you can click Automatic Retry. If the issue persists, see What do I do if no heartbeat connections are detected on Logtail?
-
On the Configure Data Source tab, set Configuration Name and Plug-in Configuration, and then click Next.
-
inputs is required and is used to configure the data source settings for the Logtail configuration.
ImportantYou can specify only one type of data source in inputs.
-
processors is optional and is used to configure the data processing settings for the Logtail configuration to parse data. You can specify one or more processing methods.
If your logs cannot be parsed based only on the setting of inputs, you can configure processors in the Plug-in Configuration field to add plugins for data processing. For example, extract fields, extract log time, mask data, and filter logs. For more information, see Logtail plugins for data processing.
For example, to collect logs from the Application, System, and TerminalServices-LocalSessionManager/Operational channels, you can add the following configuration to inputs.
{ "inputs": [ { "type": "service_wineventlog", "detail": { "Name": "Application", "IgnoreOlder": 259200 } }, { "type": "service_wineventlog", "detail": { "Name": "System", "IgnoreOlder": 259200 } }, { "type": "service_wineventlog", "detail": { "Name": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "IgnoreOlder": 259200 } } ] }Parameter
Type
Required
Description
type
String
Yes
The type of the data source. Set the value to service_wineventlog.
Name
String
Yes
The name of the channel from which you want to collect event logs. If you do not configure this parameter, Logtail collects logs from the Application channel by default. You can view the full name of the channel in Windows. For more information, see View channel information.
IgnoreOlder
UINT
No
This parameter specifies a time offset in seconds from the collection start time. Logtail ignores logs generated before this offset. For example:
-
If you set this parameter to 3600, logs generated more than one hour before the collection starts are ignored.
-
If you set this parameter to 14400, logs generated more than four hours before the collection starts are ignored.
By default, this parameter is empty, which indicates that all historical event logs on the server are collected.
NoteThis option takes effect only during the initial collection. Logtail records a checkpoint for event collection to prevent duplicate collection.
Level
String
No
Filters logs based on the event level. The default value is information, warning, error, critical, which collects all logs except for those at the verbose level. Valid values: information, warning, error, critical, and verbose. You can specify multiple levels by separating them with commas (,).
NoteThis parameter is available only on Windows Vista and later operating systems.
EventID
String
No
Filters logs based on the event ID. You can specify an allowlist (a single ID or a range) or a denylist (ranges are not supported). By default, this parameter is empty, which indicates that all events are collected. For example:
-
1-200: Collects only event logs with IDs ranging from 1 to 200.
-
20: Collects only event logs with an ID of 20.
-
-100: Collects all event logs except for those with an ID of 100.
-
1-200,-100: Collects event logs with IDs in the range of 1 to 200, excluding those with an ID of 100.
You can specify multiple values by separating them with commas (,).
NoteThis parameter is available only on Windows Vista and later operating systems.
Provider
String array
No
Filters logs based on the event source. For example, if you set this parameter to ["App1", "App2"], only event logs from the App1 and App2 sources are collected. All other event logs are ignored.
By default, this parameter is empty, which indicates that events from all sources are collected.
NoteThis parameter is available only on Windows Vista and later operating systems.
IgnoreZeroValue
Boolean
No
Not every event log has all fields. You can use this parameter to filter out empty fields. The definition of an empty field depends on its type. For example, an empty integer field is represented by 0.
The default value is false, which indicates that empty fields are not filtered.
-
Create indexes and preview data. Then, click Next. By default, full-text indexing is enabled in Simple Log Service. You can also manually create field indexes for the collected logs or click Automatic Index Generation. Then, Simple Log Service generates field indexes. For more information, see Create indexes.
ImportantIf you want to query all fields in logs, we recommend that you use full-text indexes. If you want to query only specific fields, we recommend that you use field indexes. This helps reduce index traffic. If you want to analyze fields, you must create field indexes. You must include a SELECT statement in your query statement for analysis.
-
Click Query Log to go to the query and analysis page for the Logstore.
You must wait about one minute for the indexes to take effect. You can then view the collected logs on the Raw Logs tab. For more information, see Quick start for log query and analysis.
Troubleshooting
If no data appears on the preview or query page after you configure Logtail, see Troubleshoot Logtail log collection failures.
What to do next
After Simple Log Service collects the Windows event log, you can view the logs in the Simple Log Service console.
_source_: xxx
__tag__:__client_ip__: xxx
__tag__:__hostname__: xxx
__tag__:__receive_time__: 1545292473
__topic__:
activity_id: {085C7022-038B-40E4-BF0B-EB97C4337940}
computer_name: xxx
event_data: {"DCName":"\\\\HZ-FT-xxx","ProcessingMode":"0","ProcessingTimeInMilliseconds":"5812","SupportInfo1":"1","SupportInfo2":"4220"}
event_id: 1501
kernel_time: 0
keywords: []
level: Information
log_name: System
message: The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
message_error:
opcode: Start
process_id: 248024
processor_id: 0
processor_time: 0
provider_guid: {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
record_number: 6908
related_activity_id:
session_id: 0
source_name: Microsoft-Windows-GroupPolicy|
Field |
Description |
|
activity_id |
The global transaction ID (GTID) of the activity to which the event belongs. Events in the same activity share the same GTID. |
|
computer_name |
The name of the computer where the event was generated. |
|
event_data |
Data that is related to the event. |
|
event_id |
The ID of the event. |
|
kernel_time |
The kernel time that is consumed by the event. This value is typically 0. |
|
keywords |
Keywords that are associated with the event and used for event classification. |
|
level |
The level of the event. |
|
log_name |
The name of the channel for the event. This is the value of the Name parameter in the Logtail configuration. |
|
message |
The message that is associated with the event. |
|
message_error |
The error message that is generated if the event message fails to parse. |
|
opcode |
The opcode that is associated with the event. |
|
process_id |
The process ID for the event. |
|
processor_id |
The processor ID for the event. This value is typically 0. |
|
processor_time |
The processor time that is consumed by the event. This value is typically 0. |
|
provider_guid |
The GTID of the event provider. |
|
record_number |
The event's record number, which increments with each event written. It resets to 0 after exceeding 232 (for Event Logging) or 264 (for Windows Event Log). |
|
related_activity_id |
The GTID of an activity related to the event's primary activity. |
|
session_id |
The session ID for the event. This value is typically 0. |
|
source_name |
The source of the event. This is the value of the Provider parameter in the Logtail configuration. |
|
task |
The task that is associated with the event. |
|
thread_id |
The thread ID for the event. |
|
type |
The API that is used to obtain the event. |
|
user_data |
User data that is associated with the event. |
|
user_domain |
The user domain that is associated with the event. |
|
user_identifier |
The Windows Security Identifier (SID) of the user associated with the event. |
|
user_name |
The username that is associated with the event. |
|
user_time |
The user-mode time that is consumed by the event. This value is typically 0. |
|
user_type |
The type of user associated with the event. |
|
version |
The version number of the event. |
|
xml |
The raw information of the event in XML format. |