Windows Event Log Integration
Collect Windows Event Log entries in real-time with LogFlux Agent
The LogFlux Windows Event Log integration collects Windows Event Log entries in real-time from Windows systems, enabling centralized log analysis from your Windows infrastructure. This plugin provides comprehensive monitoring of system events, security events, application logs, and specialized Windows component logs.
Overview
The Windows Event Log plugin provides:
- Multi-Channel Support: Monitor System, Security, Application, and specialized event channels simultaneously
- Real-Time Collection: Live event monitoring with configurable polling intervals
- Advanced Filtering: Filter by event levels, IDs, providers, channels, and XPath queries
- Security Focus: Special handling for security events with SID resolution and audit policy mapping
- Performance Optimization: Batch processing and position tracking to prevent duplicate events
- Native Integration: Uses Windows Event Log APIs for direct system integration
- Comprehensive Metadata: Rich event metadata extraction and structured data handling
Installation
The Windows Event Log plugin is included with the LogFlux Agent for Windows but disabled by default.
Prerequisites
- LogFlux Agent installed on Windows system (see Installation Guide)
- Windows Vista/Server 2008 or later
- Administrator privileges (required for Security event log access)
- Network connectivity to LogFlux Agent socket
Enable the Plugin
1
2
3
4
5
6
|
# Enable and start the Windows Event Log plugin
sc config logflux-winevent start= auto
sc start logflux-winevent
# Check status
sc query logflux-winevent
|
Configuration
Basic Configuration
Create or edit the Windows Event Log plugin configuration:
1
|
notepad "C:\ProgramData\LogFlux\Agent\plugins\winevent.yaml"
|
Basic configuration:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
# Windows Event Log Plugin Configuration
name: winevent
version: 1.0.0
source: winevent-plugin
# Agent connection
agent:
socket_path: \\.\pipe\logflux-agent
# Event log channels to monitor
channels:
- name: "System"
enabled: true
- name: "Application"
enabled: true
- name: "Security"
enabled: true
# Event filtering
filters:
# Event levels: 1=Critical, 2=Error, 3=Warning, 4=Information, 5=Verbose
levels: [1, 2, 3]
# Maximum events to read on startup
tail: 1000
# Polling interval
poll_interval: 5s
# Metadata and labeling
metadata:
labels:
plugin: winevent
os: windows
# Enable SID-to-username resolution
resolve_sids: true
# Batching for efficiency
batch:
enabled: true
size: 100
flush_interval: 5s
|
Advanced Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# Advanced Windows Event Log Configuration
name: winevent
version: 1.0.0
source: winevent-plugin
# Enhanced agent settings
agent:
socket_path: \\.\pipe\logflux-agent
connect_timeout: 30s
max_retries: 5
retry_delay: 10s
# Comprehensive channel monitoring
channels:
# Core system channels
- name: "System"
enabled: true
levels: [1, 2, 3, 4]
max_events: 10000
- name: "Application"
enabled: true
levels: [1, 2, 3]
exclude_providers:
- "Microsoft-Windows-RestartManager"
- name: "Security"
enabled: true
levels: [1, 2, 3, 4]
# High-value security events
include_event_ids:
- 4624 # Logon
- 4625 # Failed logon
- 4648 # Explicit credentials
- 4672 # Admin rights assigned
- 4720 # User account created
- 4728 # Member added to security group
- name: "Setup"
enabled: true
levels: [1, 2, 3]
# Component-specific channels
- name: "Microsoft-Windows-PowerShell/Operational"
enabled: true
levels: [1, 2, 3]
include_event_ids:
- 4103 # Module logging
- 4104 # Script block logging
- name: "Microsoft-Windows-TaskScheduler/Operational"
enabled: true
levels: [1, 2, 3]
- name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
enabled: true
levels: [1, 2, 3, 4]
- name: "Microsoft-Windows-Windows Defender/Operational"
enabled: true
levels: [1, 2, 3]
- name: "Microsoft-Windows-Sysmon/Operational"
enabled: true
levels: [1, 2, 3, 4]
# Advanced filtering
filters:
# Global event level filter
levels: [1, 2, 3, 4]
# XPath query for complex filtering
xpath_query: |
*[System[(Level=1 or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 3600000]]]
# Provider filtering
include_providers:
- "Microsoft-Windows-Security"
- "Microsoft-Windows-Kernel-General"
exclude_providers:
- "Microsoft-Windows-DistributedCOM"
# Global event ID filtering
exclude_event_ids:
- 5152 # Windows Filtering Platform blocked connection
- 5156 # Windows Filtering Platform allowed connection
# Time-based filtering
start_time: "-24h" # Last 24 hours
# Maximum events per channel on startup
tail: 5000
# Enhanced metadata
metadata:
verbose: true
labels:
plugin: winevent
os: windows
environment: production
datacenter: main
# SID resolution settings
resolve_sids: true
sid_cache_ttl: 3600s
# Custom field mapping
field_mapping:
computer_name: "windows_computer"
event_record_id: "windows_record_id"
task_category: "windows_task"
# Performance tuning
batch:
enabled: true
size: 200
flush_interval: 10s
# Memory management
max_memory: 50MB
# Rate limiting
max_events_per_second: 1000
# Monitoring and health
health:
check_interval: 60s
max_channel_errors: 5
alert_on_permission_denied: true
|
Usage Examples
System Administration
1
2
3
4
5
6
7
8
9
10
11
|
# Monitor system events
logflux-winevent.exe `
-channels "System" `
-levels "1,2,3" `
-tail 100
# Monitor application errors
logflux-winevent.exe `
-channels "Application" `
-levels "1,2" `
-batch-size 50
|
Security Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
# Security event monitoring
channels:
- name: "Security"
enabled: true
levels: [1, 2, 3, 4]
include_event_ids:
# Authentication events
- 4624 # Successful logon
- 4625 # Failed logon
- 4634 # Account logged off
- 4648 # Logon using explicit credentials
- 4672 # Special privileges assigned
# Account management
- 4720 # User account created
- 4722 # User account enabled
- 4725 # User account disabled
- 4726 # User account deleted
- 4728 # Member added to security group
- 4729 # Member removed from security group
# Policy changes
- 4719 # System audit policy changed
- 4739 # Domain policy changed
metadata:
labels:
log_type: security
compliance: required
monitoring: critical
|
PowerShell Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# PowerShell activity monitoring
channels:
- name: "Microsoft-Windows-PowerShell/Operational"
enabled: true
levels: [1, 2, 3, 4]
include_event_ids:
- 4103 # Module logging
- 4104 # Script block logging
- 4105 # Script start
- 4106 # Script stop
- name: "Windows PowerShell"
enabled: true
include_event_ids:
- 400 # Engine state changed
- 403 # Engine lifecycle
- 600 # Provider lifecycle
metadata:
labels:
service: powershell
monitoring_type: security
|
Sysmon Integration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# Sysmon advanced logging
channels:
- name: "Microsoft-Windows-Sysmon/Operational"
enabled: true
levels: [1, 2, 3, 4]
# Monitor key Sysmon events
include_event_ids:
- 1 # Process creation
- 3 # Network connection
- 7 # Image loaded
- 8 # CreateRemoteThread
- 10 # ProcessAccess
- 11 # FileCreate
- 12 # RegistryEvent
- 13 # RegistryEvent (Value Set)
- 22 # DNSEvent
metadata:
labels:
source: sysmon
monitoring: advanced
security: endpoint_detection
|
Command Line Usage
Basic Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Monitor specific channels
logflux-winevent.exe -channels "System,Application"
# Filter by event levels
logflux-winevent.exe -channels "System" -levels "1,2"
# Include specific event IDs
logflux-winevent.exe -channels "Security" -event-ids "4624,4625,4648"
# Exclude specific event IDs
logflux-winevent.exe -channels "System" -exclude-ids "5152,5156"
# Tail recent events
logflux-winevent.exe -channels "Application" -tail 50
|
Advanced Options
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# XPath query filtering
logflux-winevent.exe -channels "Security" `
-query "*[System[Level<=3 and TimeCreated[timediff(@SystemTime) <= 3600000]]]"
# Custom batch settings
logflux-winevent.exe -channels "System" `
-batch-size 200 `
-flush-interval 30s
# Provider filtering
logflux-winevent.exe -channels "System" `
-providers "Microsoft-Windows-Kernel-General,Microsoft-Windows-Kernel-Power"
# Configuration file
logflux-winevent.exe -config "C:\custom\winevent-config.yaml"
|
Event Channels Reference
Core Windows Channels
| Channel |
Description |
Common Event IDs |
| System |
System and hardware events |
1074 (Shutdown), 6005/6006 (EventLog start/stop), 7034 (Service crashed) |
| Application |
Application and program events |
1000 (Application error), 1001 (Windows Error Reporting) |
| Security |
Security and audit events |
4624 (Logon), 4625 (Failed logon), 4648 (Explicit credentials) |
| Setup |
Installation and setup events |
2 (Installation started), 3 (Installation completed) |
Specialized Channels
| Channel |
Description |
Key Events |
| PowerShell/Operational |
PowerShell execution logs |
4103 (Module), 4104 (Script block), 4105/4106 (Start/Stop) |
| TaskScheduler/Operational |
Scheduled task events |
100 (Task started), 102 (Task completed), 103 (Task failed) |
| TerminalServices-RCM |
Remote Desktop events |
1149 (RDP logon), 21 (RDP session logon), 24 (RDP session disconnected) |
| Windows Defender |
Antivirus events |
1116 (Malware detected), 1117 (Action taken), 5001 (Real-time protection disabled) |
| Sysmon/Operational |
System Monitor events |
1 (Process creation), 3 (Network connection), 11 (File created) |
Event Level Mapping
| Windows Level |
Syslog Level |
Description |
| 1 (Critical) |
2 (Critical) |
System unusable |
| 2 (Error) |
3 (Error) |
Error conditions |
| 3 (Warning) |
4 (Warning) |
Warning conditions |
| 4 (Information) |
6 (Informational) |
Informational messages |
| 5 (Verbose) |
7 (Debug) |
Debug-level messages |
The plugin adds Windows-specific metadata:
| Field |
Description |
Example |
source_type |
Always “plugin” |
plugin |
source_name |
Always “winevent” |
winevent |
event_id |
Windows event ID |
4624 |
event_channel |
Source event log channel |
Security |
event_provider |
Event provider name |
Microsoft-Windows-Security-Auditing |
event_computer |
Computer name |
WS-001 |
event_level |
Event severity level |
Information |
event_task |
Task category |
Logon |
event_user_sid |
User Security Identifier |
S-1-5-21-123456789-123456789-123456789-1001 |
event_data |
Additional structured data |
{"TargetUserName":"admin","LogonType":"3"} |
Input Windows Event:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/>
<EventID>4624</EventID>
<Level>0</Level>
<Task>12544</Task>
<TimeCreated SystemTime='2024-01-20T14:30:50.123Z'/>
<Computer>WS-001</Computer>
<Security/>
</System>
<EventData>
<Data Name='TargetUserName'>admin</Data>
<Data Name='LogonType'>3</Data>
</EventData>
</Event>
|
Output LogFlux Log:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
{
"timestamp": "2024-01-20T14:30:50.123Z",
"level": "info",
"message": "An account was successfully logged on.",
"node": "WS-001",
"metadata": {
"source_type": "plugin",
"source_name": "winevent",
"event_id": 4624,
"event_channel": "Security",
"event_provider": "Microsoft-Windows-Security-Auditing",
"event_computer": "WS-001",
"event_level": "Information",
"event_task": "Logon",
"event_user_sid": "S-1-5-21-123456789-123456789-123456789-1001",
"event_data": {
"TargetUserName": "admin",
"LogonType": "3"
},
"plugin": "winevent",
"os": "windows"
}
}
|
High-Volume Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# High-throughput settings
filters:
levels: [1, 2, 3] # Exclude verbose events
tail: 1000 # Limit initial load
batch:
size: 500
flush_interval: 30s
max_memory: 100MB
# Focus on critical channels only
channels:
- name: "Security"
enabled: true
include_event_ids: [4624, 4625, 4648, 4672]
- name: "System"
enabled: true
levels: [1, 2]
|
Low-Resource Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# Resource-constrained settings
filters:
levels: [1, 2] # Critical and errors only
tail: 100 # Minimal initial load
batch:
size: 50
flush_interval: 60s
max_memory: 10MB
# Monitor essential channels
channels:
- name: "System"
enabled: true
levels: [1, 2]
- name: "Application"
enabled: true
levels: [1, 2]
|
Security Considerations
Required Permissions
1
2
3
4
5
6
7
8
9
10
11
|
# Service account permissions
# - Log on as a service
# - Generate security audits
# - Manage auditing and security log
# Registry permissions for SID resolution
# - HKEY_LOCAL_MACHINE\SAM (read access)
# - HKEY_LOCAL_MACHINE\SECURITY (read access)
# Event Log permissions
# - Security event log access requires Administrator or specific audit rights
|
Audit Policy Configuration
1
2
3
4
5
6
7
8
|
# Enable relevant audit policies
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Account Management" /success:enable /failure:enable
auditpol /set /category:"Policy Change" /success:enable /failure:enable
auditpol /set /category:"Privilege Use" /success:enable /failure:enable
# View current audit policy
auditpol /get /category:*
|
Monitoring and Alerting
Plugin Health Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# check-winevent-plugin.ps1
$service = Get-Service -Name "logflux-winevent" -ErrorAction SilentlyContinue
if (-not $service -or $service.Status -ne "Running") {
Write-Host "CRITICAL: LogFlux Windows Event Log plugin is not running"
exit 2
}
# Check recent event processing
$recentEvents = Get-EventLog -LogName "Application" -Source "LogFlux-WinEvent" -After (Get-Date).AddMinutes(-10) -ErrorAction SilentlyContinue
if (-not $recentEvents) {
Write-Host "WARNING: No recent event processing detected"
exit 1
}
Write-Host "OK: LogFlux Windows Event Log plugin is healthy"
exit 0
|
1
2
3
4
|
# Monitor Event Log performance counters
Get-Counter -Counter "\LogicalDisk(*)\% Free Space" -SampleInterval 5 -MaxSamples 1
Get-Counter -Counter "\Memory\Available MBytes" -SampleInterval 5 -MaxSamples 1
Get-Counter -Counter "\Process(logflux-winevent)\% Processor Time" -SampleInterval 5 -MaxSamples 1
|
Common Use Cases
Domain Controller Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# Active Directory security monitoring
channels:
- name: "Security"
enabled: true
include_event_ids:
# Authentication
- 4768 # Kerberos TGT requested
- 4769 # Kerberos service ticket requested
- 4771 # Kerberos pre-auth failed
# Account management
- 4720 # User account created
- 4722 # User account enabled
- 4725 # User account disabled
- 4740 # User account locked out
# Group management
- 4728 # Member added to security group
- 4732 # Member added to local group
metadata:
labels:
server_role: domain_controller
monitoring: security
|
Web Server Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# IIS and web application monitoring
channels:
- name: "System"
enabled: true
levels: [1, 2, 3]
include_providers:
- "Microsoft-Windows-IIS"
- "Microsoft-Windows-WAS"
- name: "Application"
enabled: true
levels: [1, 2, 3]
include_providers:
- "ASP.NET"
- "Microsoft-Windows-IIS-WMSVC"
metadata:
labels:
server_role: web_server
service: iis
|
Workstation Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# End-user workstation monitoring
channels:
- name: "System"
enabled: true
levels: [1, 2, 3]
- name: "Application"
enabled: true
levels: [1, 2]
- name: "Security"
enabled: true
include_event_ids:
- 4624 # Logon
- 4634 # Logoff
- 4647 # User initiated logoff
- name: "Microsoft-Windows-PowerShell/Operational"
enabled: true
levels: [1, 2, 3]
metadata:
labels:
device_type: workstation
monitoring: basic
|
Troubleshooting
Common Issues
Service Won’t Start:
1
2
3
4
5
6
7
8
|
# Check service permissions
sc qc logflux-winevent
# Verify plugin binary
Test-Path "C:\Program Files\LogFlux\Agent\plugins\logflux-winevent.exe"
# Check Windows Event Log service
Get-Service EventLog
|
Security Log Access Denied:
1
2
3
4
5
6
7
8
|
# Verify service runs as appropriate account
sc qc logflux-winevent
# Check audit policy
auditpol /get /category:"System"
# Grant SeSecurityPrivilege if needed
# Use Local Security Policy -> User Rights Assignment -> Manage auditing and security log
|
High Memory Usage:
1
2
3
4
5
6
7
8
9
10
|
# Reduce batch size and memory limits
batch:
size: 50
flush_interval: 30s
max_memory: 25MB
# Limit channels and event types
filters:
levels: [1, 2, 3] # Exclude verbose events
exclude_event_ids: [5152, 5156] # Exclude noisy network events
|
Missing Events:
1
2
3
4
5
6
7
8
|
# Check event log size and retention
wevtutil gl System
# Verify channel names
wevtutil el | Select-String -Pattern "Microsoft-Windows"
# Test event log access
Get-WinEvent -LogName "System" -MaxEvents 5
|
Debugging
1
2
3
4
5
6
7
8
9
10
11
12
|
# Enable verbose logging
$env:LOGFLUX_LOG_LEVEL = "debug"
& "C:\Program Files\LogFlux\Agent\plugins\logflux-winevent.exe" -config "C:\ProgramData\LogFlux\Agent\plugins\winevent.yaml"
# Monitor plugin output
Get-EventLog -LogName "Application" -Source "LogFlux-WinEvent" -Newest 10
# Test connectivity to agent
Test-NetConnection -ComputerName "localhost" -Port 8080
# Check Windows Event Log service
Get-Service -Name "EventLog" | Format-List *
|
Best Practices
Configuration Management
- Start with minimal channels and expand based on requirements
- Use event ID filtering to focus on relevant events
- Configure appropriate batch sizes based on event volume
- Monitor resource usage and adjust settings accordingly
Security
- Use dedicated service account with minimal required permissions
- Enable audit policies for events you want to monitor
- Regularly review security events for anomalous activity
- Implement log retention policies to manage disk space
- Filter events at source using levels and event ID filters
- Use XPath queries for complex filtering requirements
- Batch events appropriately to balance latency and throughput
- Monitor system resources and adjust configuration as needed
Maintenance
- Regularly update audit policies to match security requirements
- Monitor event log sizes to prevent log wraparound
- Test plugin functionality after Windows updates
- Review and update filtering rules based on operational needs
Disclaimer
Microsoft Windows and Windows Event Log are trademarks of Microsoft Corporation. LogFlux is not affiliated with, endorsed by, or sponsored by Microsoft Corporation. Windows services and features are referenced solely for identification purposes to indicate compatibility with Windows Event Log systems.
Next Steps
