Free Report! Gartner® Hype Cycle™ for Monitoring and Observability.Read more
Technical “How-To’s”

Monitoring Windows Event Logs

Joe Howell
Joe Howell

Windows event logs are essential for security, troubleshooting, and compliance. When you analyze your logs, you can monitor and report on file access, network connections, unauthorized activity, error messages, and unusual network and system behavior.

However, Windows servers produce tens of thousands of log entries every day. The sheer volume of data is almost impossible to go through manually—and most of these entries will show successful, problem-free interactions and transactions.

What Types of Events Are Logged By Windows and Can Be Viewed Using The Event Viewer?

For Windows systems, there are three default types of event logs:

  1. System
  2. Application
  3. Security

Beyond the initial three categories, there are typically additional Windows Event Log channels, as seen in this screenshot from a Windows 10 system.

Getting into the Details on Windows Events

The cool thing about Windows Event Logs is that it is a treasure trove of data that can detect issues with the Windows environment and indicate potential problems. You need to know what to look for. Windows Event Logs give a blueprint of current conditions for the Windows systems. Applications and the built-in Windows Services use these event logs to record necessary hardware and software actions that the administrator can use to troubleshoot issues. The Windows operating system tracks specific events in its log files, such as application installations, system logins, network resource access, or errors.

Anatomy of a Windows Event

Here are some examples of data typically available via Windows Event Logs.

Event in a log entryDefinitions
LoggedThe time the event occurred.
UserThe username (actual or service user) associated with the event.
ComputerThe name of the computer associated with the event. These may be the remote computer on your network accessing local resources.
Event IDA Windows identification number that specifies the event type. This can be used to look up details on the event
LevelSeverity of the event. These can range from Informational to Critical
SourceThe program or component that caused the event.

How Do I View Windows Events?

Windows Events can be viewed in Windows Event Viewer, which is built into every Windows installation (except for Windows Server Core). While Event Viewer helps view the local logs, it can connect to other Windows systems across your domain.

Generally, it is a good tool for troubleshooting single issues, but it could be better for looking at events across your environment.

Should I Disable Windows Event Log?

No, the Windows Event Log is set to overwrite old entries at a maximum of 16 MB for each category. You don’t have to worry about the event’s data filling up too much storage.

This is configurable via the properties in the Event Viewer for the individual log.

Windows Event Logs in observIQ – What Is Collected

In observIQ, you can add a Source to a deployed agent that will collect logs from the machine the agent is deployed on. Configuration information collected includes the following, as represented in the table below:


System EventsToggle check box to enable/disable collection of System Event logs.
Application EventsToggle check box to enable/disable collection of Application Event logs.
Security EventsToggle check box to enable/disable collection of Security Event logs.
Max ReadsUse this field to set the maximum number of records read into memory before beginning a new batch. The default is ‘100’.
Poll IntervalUse this field to set the interval at which the channel is checked for new log entries. This check begins after all new records have been read. The default is ‘1’.
Start AtChoose whether to start reading from the beginning or end of a file with “end” being the default.

Setting Up Log Collection for Windows Event Logs

Assuming you already have an observIQ Log Agent deployed on a Windows machine (and we’d be remiss not to mention our log agent, Stanza, is the official log agent of the OpenTelemetry project), the first step will be to add the Windows Event Log source to the agent you want to use to collect Windows Event Logs with.

You are allowed to collect system, application, and security logs. You can also define your list of additional Event channels. If you have questions about which category of logs you wish to collect, each option includes a summary description of the logs collected. You can elect to collect all categories of logs as well.

The source configuration dialogue box provides an advanced invocation option if you want to collect logs in a custom format and potentially attach custom metadata.

Once configured, logs flow in the Kibana log visualization element of observIQ Cloud.

Happy Logging!

Joe Howell
Joe Howell

Related posts

All posts

Get our latest content
in your inbox every week

By subscribing to our Newsletter, you agreed to our Privacy Notice

Community Engagement

Join the Community

Become a part of our thriving community, where you can connect with like-minded individuals, collaborate on projects, and grow together.

Ready to Get Started

Deploy in under 20 minutes with our one line installation script and start configuring your pipelines.

Try it now