Windows Event Logs
You can collect the event logs from your Windows endpoints.
When you query a Windows event log, the query includes every event in the log. You can use event log filtering or XPath queries to limit the events that you receive.
Windows event logs are supported in the following languages:
Chinese (Simplified)
Chinese (Traditional)
English
French
German
Italian
Japanese
Korean
Portuguese
Russian
Spanish
Windows Event Log Filtering
You can configure the WinCollect agent to ignore or to include specific events collected from the Windows event log. You can limit the total EPS (events per second) that are sent to the JSA console by using the filter types.
The WinCollect agents can be configured to ignore events globally by ID code or log source. Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source=field and the EventIDCode=field of the Windows payload. Separate multiple sources by using a semi-colon. Events filters such as exclusion, inclusion, and NSA are available for the following log source types:
Security
System
Application
DNS Server
File Replication Service
Directory Service
Forwarded Events
The WinCollect agent requests all available events from the Event Collection API each time the value specified in the Polling Interval field expires.
For the exclusion filter, the agent examines all of the events retrieved from the Event Collection API and ignores events that match the exclusions defined by the administrator (either by Windows Event ID or by source). The agent then takes the remaining events and assembles the name=value pairs and forwards the events to either the JSA console or the Event Collector appliance. However, for the inclusion filter, the agents pulls events that matches the Event IDs specified by the administrator and forward those events to JSA console or Event Collector.
The NSA filter is a unique type of filter that includes a corresponding list of pre-defined security Event IDs, which the agent pulls from the Security, System, Application and DNS logs. These pre-defined security Event IDs are included in the events that the agent forwards to JSA console or Event Collector.
The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you wish to filter in parentheses. Use semicolons as delimiters. For example:
Application(200-256,4097,34);Security(1);Symantec(1,13)
In this example, event IDs from 200 to 256, 4097 and 34 are filtered for the channel Application, event ID 1 is filtered for Security, and event IDs 1 and 13 are filtered for the source called Symantec.
Windows Log Source Parameters
Common parameters are used when you configure a log source for a WinCollect agent or a WinCollect plug-in. Each WinCollect plug-in also has a unique set of configuration options.
Parameter |
Description |
|---|---|
Log Source Identifier |
The IP address or hostname of a remote Windows operating system from which you want to collect Windows-based events. The log source identifier must be unique for the log source type. Used to poll events from remote sources |
Local System |
Disables remote collection of events for the log source. The log source uses local system credentials to collect and forward events to the JSA. |
Domain |
Optional The domain that includes the Windows-based log source. The following examples use the correct syntax: LAB1, server1.mydomain.com The following syntax is incorrect: \\mydomain.com |
Event Rate Tuning Profile |
For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:
For a polling interval of 1000 ms the approximate EPS rates are as follows:
|
Polling Interval (ms) |
The interval, in milliseconds, between times when WinCollect polls for new events. |
Application or Service Log Type |
Optional. Used for XPath queries. Provides a specialized XPath query for products that write their events as part of the Windows application log. Therefore, you can separate Windows events from events that are classified to a log source for another product. |
Event Log Poll Protocol |
The protocol that JSA uses to communicate with the Windows device. The default is MSEVEN6. |
Log Filter Type |
Configures the WinCollect agent to ignore specific events from the Windows event log. You can also configure WinCollect agents to ignore events globally by ID code or log source. Exclusion filters for events are available for the following log source types: Security, System, Application, DNS Server, File Replication Service, and Directory Service Global exclusions use the EventIDCode field from
the event payload. To determine the values that are excluded, source
and ID exclusions use the Example: : Exclusion filters can use commas and hyphens to filter single EventIDs or ranges, such as 4609, 4616, 6400-6405 |
Security |
Select the checkbox to enable WinCollect to forward security logs to JSA. |
Security Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Security Log Filter field with a list of event IDs recommended by National Security Agency. The default is No Filtering. Note:
If you select a filter type from the list, a new field Security Log Filter displays. You must provide the event IDs that you want to include or exclude. |
System |
Select the checkbox to enable WinCollect to forward system logs to JSA. |
System Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the System Log Filter field with a list of event IDs recommended by National Security Agency. The default is No Filtering. Note:
If you select a filter type from the list, a new field System Log Filter displays. You must provide the event IDs that you want to include or exclude. |
Application |
Select the checkbox to enable WinCollect to forward application logs to JSA. |
Application Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Application Log Filter field with a list of event IDs recommended by National Security Agency. The default is No Filtering. Note:
If you select a filter type from the list, a new field Application Log Filter displays. You must provide the event IDs that you want to include or exclude. |
DNS Server |
Select the checkbox to enable WinCollect to forward DNS Server logs to JSA. |
DNS Server Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the DNS Server Log Filter field with a list of event IDs recommended by National Security Agency. The default is No Filtering. Note:
If you select a filter type from the list, a new field DNS Server Log Filter displays. You must provide the event IDs that you want to include or exclude. |
File Replication Service |
Select the checkbox to enable WinCollect to forward File Replication Service logs to JSA. |
File Replication Service Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. Note:
If you select a filter type from the list, a new field File Replication Service Log Filter displays. You must provide the event IDs that you want to include or exclude. |
Directory Service |
Select the checkbox to enable WinCollect to forward Directory Service logs to JSA. |
Directory Service Log Filter Type |
To ignore specific events ID collected from the Windows event log, select the Exclusion Filter. To include specific events ID collected in the Windows event log, select the Inclusion Filter. Note:
If you select a filter type from the list, a new field Directory Service Log Filter displays. You must provide the event IDs that you want to include or exclude. |
Forwarded Events |
Enables JSA to collect events that are forwarded from remote Windows event sources that use subscriptions. Forward events that use event subscriptions are automatically discovered by the WinCollect agent and forwarded as if they are a syslog event source. When you configure event forwarding from your Windows system, enable event pre-rendering. Note:
WinCollect supports pulling logs only from the Forwarded Events channel. Writing events from a subscription to a different channel is not supported. |
Forwarded Events filter type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Forwarded Events filter field with all channels and their respective filters, as recommended by the National Security Agency. The default is No Filtering. Note:
If you select a filter type from the list, a new field Forwarded Events Filter displays. You must provide the event IDs that you want to include or exclude. The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you want to filter in parentheses. Use semicolons as delimiters. For example: Application(200-256,4097,34); Security(1);Symantec(1,13) In this example, event IDs 200 - 256, 4097 and 34 are filtered for the channel Application. Event ID 1 is filtered for Security. Event IDs 1 and 13 are filtered for the source called Symantec. |
Event Types |
At least one event type must be selected. If you need to collect specific event types, follow the instructions for creating a custom XPath with those specific event types. For more information, see Creating a Custom View. |
Enable Active Directory Lookups |
If the WinCollect agent is in the same domain as the domain controller that is responsible for the Active Directory lookup, you can select this checkbox. If you do, leave the override domain and DNS parameters blank. Note:
You must enter values for the Domain Controller Name Lookup and DNS Domain Name Lookup parameters. |
Override Domain Controller Name |
Required when the domain controller that is responsible for Active Directory lookup is outside of the domain of the WinCollect agent. The IP address or hostname of the domain controller that is responsible for the Active Directory lookup. |
XPath Query |
Structured XML expressions that you use to retrieve customized events from Windows event logs. If you specify an XPath query to filter events, the check boxes that you selected from the Standard Log Type or Event Type are collected along with the XPath Query. To collect information by using an XPath Query, you might be required to enable Remote Event Log Management on Windows 2008. |
Target Internal Destination |
Use any managed hosts with an event processor component as an internal destination. |
Target External Destination |
Forwards your events to one or more external destinations that you configured in your destination list. |
Applications and Services Logs
Use XPath queries to collect events from the Applications and Services event logs.
XPath queries are structured XML expressions that you use to retrieve customized events from the Windows event logs.
Creating a Custom View
Use the Microsoft Event Viewer to create custom views, which can filter events for severity, source, category, keywords, or specific users.
Using more than 10 XPath queries can affect WinCollect performance, depending on the XPath and the number of events coming in to each channel.
WinCollect log sources can use XPath filters to capture specific events from your logs. To create the XML markup for your XPath Query parameter, you must create a custom view. You must log in as an administrator to use Microsoft Event Viewer.
XPath queries that use the WinCollect protocol the TimeCreated notation do not support filtering of events by a time range. Filtering events by a time range can lead to errors in collecting events.
On your desktop, select Start >Run.
Type the following command:
Eventvwr.msc
Click OK.
If you are prompted, type the administrator password and press Enter.
Click Action >Create Custom View.
When you create a custom view, do not select a time range from the Logged list. The Logged list includes the TimeCreated element, which is not supported in XPath queries for the WinCollect protocol.
In Event Level, select the check boxes for the severity of events that you want to include in your custom view.
Select an event log source. You can select the source from the Event sources drop-down menu, or you can browse to a source from the Event logs drop-down menu..
Type the event IDs to filter from the event or log source.
Use commas to separate IDs.
The following list contains an individual ID and a range: 4133, 4511-4522
From the Task Category list, select the categories to filter from the event or log source.
From the Keywords list, select the keywords to filter from the event or log source.
Type the user name to filter from the event or log source.
Type the computer or computers to filter from the event or log source.
-
Click the XML tab.
Copy and paste the XML to the XPath Query field of your WinCollect log source configuration
Configure a log source with the XPath query. For more information, see Applications and Services Logs.
XPath Query Examples
Use XPath examples for monitoring events and retrieving logon credentials, as a reference when you create XPath queries.
For more information about XPath queries, see your Microsoft documentation.
XPath uses only the MSEVEN6 event protocol.
Example: Monitoring Events for a Specific User
In this example, the query retrieves events from all Windows event logs for the guest user.
XPath queries cannot filter Windows Forwarded Events.
<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Security">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Setup">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="System">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> </Query> </QueryList>.
Example: Credential Logon for Windows 2008
In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=4 or Level=0) and ( (EventID >= 4776 and EventID <= 4777) )]]</Select> </Query> </QueryList>
ID |
Description |
|---|---|
4776 |
The domain controller attempted to validate credentials for an account. |
4777 |
The domain controller failed to validate credentials for an account. |
Example: Retrieving Events Based on User
In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Computer='Password_DB') and (Level=4 or Level=0) and (EventID=4720 or (EventID >= 4722 and EventID <= 4726) or (EventID >= 4741 and EventID <= 4743) )]]</Select> </Query> </QueryList>
ID |
Description |
|---|---|
4720 |
A user account was created. |
4722 |
A user account was enabled. |
4723 |
An attempt was made to change the password of an account. |
4724 |
An attempt was made to reset password of an account. |
4725 |
A user account was disabled. |
4726 |
A user account was deleted. |
4741 |
A user account was created. |
4742 |
A user account was changed. |
4743 |
A user account was deleted. |
Example: Retrieving DNS Analytic Logs
In this example, the query retrieves all events that are captured in DNS analytic logs.
<QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical"> <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select> </Query> </QueryList>
Example: Retrieving Events with Sysinternals Sysmon
In this example, the query retrieves all events that are captured by SysInternals Sysmon.
<QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Operational"> <Select Path="Microsoft-Windows-DNSServer/Operational">*</Select> </Query> </QueryList>