Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Windows Event Logs

 

You can collect the event logs from your Windows endpoints.

When you query a Windows event log, the query includes every event in the log. You can use event log filtering or XPath queries to limit the events that you receive.

Windows event logs are supported in the following languages:

  • Chinese (Simplified)

  • Chinese (Traditional)

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese

  • Russian

  • Spanish

Windows Event Log Filtering

You can configure the WinCollect agent to ignore or to include specific events collected from the Windows event log. You can limit the total EPS (events per second) that are sent to the JSA console by using the filter types.

The WinCollect agents can be configured to ignore events globally by ID code or log source. Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source=field and the EventIDCode=field of the Windows payload. Separate multiple sources by using a semi-colon. Events filters such as exclusion, inclusion, and NSA are available for the following log source types:

  • Security

  • System

  • Application

  • DNS Server

  • File Replication Service

  • Directory Service

  • Forwarded Events

The WinCollect agent requests all available events from the Event Collection API each time the value specified in the Polling Interval field expires.

For the exclusion filter, the agent examines all of the events retrieved from the Event Collection API and ignores events that match the exclusions defined by the administrator (either by Windows Event ID or by source). The agent then takes the remaining events and assembles the name=value pairs and forwards the events to either the JSA console or the Event Collector appliance. However, for the inclusion filter, the agents pulls events that matches the Event IDs specified by the administrator and forward those events to JSA console or Event Collector.

The NSA filter is a unique type of filter that includes a corresponding list of pre-defined security Event IDs, which the agent pulls from the Security, System, Application and DNS logs. These pre-defined security Event IDs are included in the events that the agent forwards to JSA console or Event Collector.

Note

The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you wish to filter in parentheses. Use semicolons as delimiters. For example:

Application(200-256,4097,34);Security(1);Symantec(1,13)

In this example, event IDs from 200 to 256, 4097 and 34 are filtered for the channel Application, event ID 1 is filtered for Security, and event IDs 1 and 13 are filtered for the source called Symantec.

Windows Log Source Parameters

Common parameters are used when you configure a log source for a WinCollect agent or a WinCollect plug-in. Each WinCollect plug-in also has a unique set of configuration options.

Table 1: Common WinCollect Log Source Parameters

Parameter

Description

Log Source Identifier

The IP address or host name of a remote Windows operating system from which you want to collect Windows-based events. The log source identifier must be unique for the log source type.

Used to poll events from remote sources

Local System

Disables remote collection of events for the log source.

The log source uses local system credentials to collect and forward events to the JSA.

Domain

Optional

The domain that includes the Windows-based log source.

The following examples use the correct syntax: LAB1, server1.mydomain.com The following syntax is incorrect: \\mydomain.com

Event Rate Tuning Profile

For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:

  • Default (Endpoint): 33-50 EPS

  • Typical Server: 166-250 EPS

  • High Event Rate Server: 416-625 EPS

For a polling interval of 1000 ms the approximate EPS rates are as follows:

  • Default (Endpoint): 100-150 EPS

  • Typical Server: 500-750 EPS

  • High Event Rate Server: 1250-1875 EPS

Polling Interval (ms)

The interval, in milliseconds, between times when WinCollect polls for new events.

Application or Service Log Type

Optional.

Used for XPath queries.

Provides a specialized XPath query for products that write their events as part of the Windows application log. Therefore, you can separate Windows events from events that are classified to a log source for another product.

Event Log Poll Protocol

The protocol that JSA uses to communicate with the Windows device. The default is MSEVEN6.

Log Filter Type

Configures the WinCollect agent to ignore specific events from the Windows event log.

You can also configure WinCollect agents to ignore events globally by ID code or log source.

Exclusion filters for events are available for the following log source types: Security, System, Application, DNS Server, File Replication Service, and Directory Service

Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source= field and the EventIDCode= field of the Windows event payload. Separate multiple sources by using a semi-colon.

Example: : Exclusion filters can use commas and hyphens to filter single EventIDs or ranges, such as 4609, 4616, 6400-6405

Security

Select the check box to enable WinCollect to forward security logs to JSA.

Security Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Security Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Security Log Filter displays. You must provide the event IDs that you want to include or exclude.

System

Select the check box to enable WinCollect to forward system logs to JSA.

System Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the System Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field System Log Filter displays. You must provide the event IDs that you want to include or exclude.

Application

Select the check box to enable WinCollect to forward application logs to JSA.

Application Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Application Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Application Log Filter displays. You must provide the event IDs that you want to include or exclude.

DNS Server

Select the check box to enable WinCollect to forward DNS Server logs to JSA.

DNS Server Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the DNS Server Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field DNS Server Log Filter displays. You must provide the event IDs that you want to include or exclude.

File Replication Service

Select the check box to enable WinCollect to forward File Replication Service logs to JSA.

File Replication Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

Note: If you select a filter type from the list, a new field File Replication Service Log Filter displays. You must provide the event IDs that you want to include or exclude.

Directory Service

Select the check box to enable WinCollect to forward Directory Service logs to JSA.

Directory Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select the Exclusion Filter.

To include specific events ID collected in the Windows event log, select the Inclusion Filter.

Note: If you select a filter type from the list, a new field Directory Service Log Filter displays. You must provide the event IDs that you want to include or exclude.

Forwarded Events

Enables JSA to collect events that are forwarded from remote Windows event sources that use subscriptions.

Forward events that use event subscriptions are automatically discovered by the WinCollect agent and forwarded as if they are a syslog event source.

When you configure event forwarding from your Windows system, enable event pre-rendering.

Note: WinCollect only supports pulling logs from the Forwarded Events channel. Writing events from a subscription to a different channel is not supported.

Forwarded Events filter type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Forwarded Events filter field with all channels and their respective filters, as recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Forwarded Events Filter displays. You must provide the event IDs that you want to include or exclude.

The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you wish to filter in parentheses. Use semicolons as delimiters. For example:

Application(200-256,4097,34);
Security(1);Symantec(1,13)

In this example, event IDs from 200 to 256, 4097 and 34 are filtered for the channel Application, event ID 1 is filtered for Security, and event IDs 1 and 13 are filtered for the source called Symantec.

Event Types

At least one event type must be selected.

Enable Active Directory Lookups

If the WinCollect agent is in the same domain as the domain controller that is responsible for the Active Directory lookup, you can select this check and leave the override domain and DNS parameters blank.

Note: You must enter values for the Domain Controller Name Lookup and DNS Domain Name Lookup parameters.

Override Domain Controller Name

Required when the domain controller that is responsible for Active Directory lookup is outside of the domain of the WinCollect agent.

The IP address or host name of the domain controller that is responsible for the Active Directory lookup.

XPath Query

Structured XML expressions that you use to retrieve customized events from Windows event logs.

If you specify an XPath query to filter events, the check boxes that you selected from the Standard Log Type or Event Type are collected along with the XPath Query.

To collect information by using an XPath Query, you might be required to enable Remote Event Log Management on Windows 2008.

Target Internal Destination

Use any managed hosts with an event processor component as an internal destination.

Target External Destination

Forwards your events to one or more external destinations that you configured in your destination list.

Applications and Services Logs

Use XPath queries to collect events from the Applications and Services event logs.

XPath queries are structured XML expressions that you use to retrieve customized events from the Windows event logs.

Creating a Custom View

Use the Microsoft Event Viewer to create custom views, which can filter events for severity, source, category, keywords, or specific users.

Note

Using more than 10 XPath queries can affect WinCollect performance, depending on the XPath and the number of events coming in to each channel.

WinCollect log sources can use XPath filters to capture specific events from your logs. To create the XML markup for your XPath Query parameter, you must create a custom view. You must log in as an administrator to use Microsoft Event Viewer.

XPath queries that use the WinCollect protocol the TimeCreated notation do not support filtering of events by a time range. Filtering events by a time range can lead to errors in collecting events.

  1. On your desktop, select Start >Run.
  2. Type the following command:

    Eventvwr.msc

  3. Click OK.
  4. If you are prompted, type the administrator password and press Enter.
  5. Click Action >Create Custom View.

    When you create a custom view, do not select a time range from the Logged list. The Logged list includes the TimeCreated element, which is not supported in XPath queries for the WinCollect protocol.

  6. In Event Level, select the check boxes for the severity of events that you want to include in your custom view.
  7. Select an event log source. You can select the source from the Event sources drop-down menu, or you can browse to a source from the Event logs drop-down menu..
  8. Type the event IDs to filter from the event or log source.

    Use commas to separate IDs.

    The following list contains an individual ID and a range: 4133, 4511-4522

  9. From the Task Category list, select the categories to filter from the event or log source.
  10. From the Keywords list, select the keywords to filter from the event or log source.
  11. Type the user name to filter from the event or log source.
  12. Type the computer or computers to filter from the event or log source.
  13. Click the XML tab.
  14. Copy and paste the XML to the XPath Query field of your WinCollect log source configuration

Configure a log source with the XPath query. For more information, see Applications and Services Logs.

XPath Query Examples

Use XPath examples for monitoring events and retrieving logon credentials, as a reference when you create XPath queries.

For more information about XPath queries, see your Microsoft documentation.

Note

XPath uses only the MSEVEN6 event protocol.

Example: Monitoring Events for a Specific User

In this example, the query retrieves events from all Windows event logs for the guest user.

Note

XPath queries cannot filter Windows Forwarded Events.

<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Security">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Setup">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="System">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> </Query> </QueryList>.

Example: Credential Logon for Windows 2008

In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=4 or Level=0) and ( (EventID &gt;= 4776 and EventID <= 4777) )]]</Select> </Query> </QueryList>

Table 2: Event IDs Used in Credential Logon Example

ID

Description

4776

The domain controller attempted to validate credentials for an account.

4777

The domain controller failed to validate credentials for an account.

Example: Retrieving Events Based on User

In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Computer='Password_DB') and (Level=4 or Level=0) and (EventID=4720 or (EventID &gt;= 4722 and EventID <= 4726) or (EventID &gt;= 4741 and EventID <= 4743) )]]</Select> </Query> </QueryList>

Table 3: Event IDs Used in Database Example

ID

Description

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change the password of an account.

4724

An attempt was made to reset password of an account.

4725

A user account was disabled.

4726

A user account was deleted.

4741

A user account was created.

4742

A user account was changed.

4743

A user account was deleted.

Example: Retrieving DNS Analytic Logs

In this example, the query retrieves all events that are captured in DNS analytic logs.

Example: Retrieving Events with Sysinternals Sysmon

In this example, the query retrieves all events that are captured by SysInternals Sysmon.