Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

EVTX Forwarder advanced settings

You can use the following advanced settings to fine tune EVTX Forwarder sources.

EVTX Forwarder advanced settings

Parameter Default value Description
Identifier Override hostname/IP You can override the device identifier for this source.
Filename pattern *.evtx Only files that match this pattern are considered; this is an OS file filter.
Agent Device Type WindowsLog The AgentDevice field in the payload header.
Tuning Profile
  • Automatic Tuning
  • Low Event Rate
  • Medium Event Rate
  • High Event Rate
  • Max Event Rate
  • Manual Tuning
Automatic tuning Determines how to poll for events automatically and adjusts itself over time
Low event rate Less than 1 event per minute, poll every 10 minutes, 100 events at a time.
Medium event rate Less than 10 events per second, poll every 30 seconds, 200 events at a time.
High event rate Less than 500 events per second, poll every 3 seconds, 2000 events at a time.
Max event rate More than 500 events per second, poll continuously, 5000 events at a time.
Manual Tuning Manually set the polling interval, events per pass, and batch size.
Manual Tuning
  • Polling Interval
   The length of time (milliseconds) between polls.
  • Events per pass
   Maximum events to collect at each polling interval.
  • Events per batch
   Number of events to fetch per call to the source.
Event Levels
  • Critical
  • Error
  • Warning
  • Information
  • Verbose
  • Always
  • Include Critical events (level 1)
  • Include Warning events (level 3)
  • Include Verbose events (level 5)
  • Include Error events (level 2)
  • Include Information events (level 4)
  • Include Always logged events (level 0)
Keywords
  • Audit Failure
  • Audit Success
  • Response Time
  • Classic
  • Include keyword 0x10 0000 0000 0000 only for security events
  • Include keyword 0x20 0000 0000 0000 only for security events
  • Include keyword 0x01 0000 0000 0000
  • Include keyword 0x80 0000 0000 0000 for events raised by using the RaiseEvent
Filter enabled Checkbox Turn the filter on or off.
  • Predefined Filters
   No Description
  • Filter
   An Event filter
SID Translation Enabled  
Active Directory (AD) lookup Not enabled Turn the conversion of GUIDs into text on or off.
AD DNS domain name    
AD domain controller name    
Use Event Channel Not enabled Use the event's channel when available, and use Channel as the default.