Monitoring Windows Event Logs – Getting Started

Introduction

Windows event logs are important for security, troubleshooting, and compliance. When you analyze your logs, you can monitor and report on file access, network connections, unauthorized activity, error messages, and unusual network and system behavior.

However, Windows servers produce tens of thousands of log entries every day. The sheer volume of data is almost impossible to go through manually—and a significant majority of these entries will simply be showing successful, problem-free interactions and transactions.

What Types of Events Are Logged By Windows And Can Be Viewed Using The Event Viewer?

For Windows systems, there are three default types of event logs:

1. System
2. Application
3. Security

Beyond the initial 3 categories, there are typically additional Windows Event Log channels as you can see in this screenshot from a Windows 10 system.

Getting into the Details on Windows Events

The cool thing about Windows Event Logs is it is a treasure trove of data that can be used to detect issues with the Windows environment as well as provide an indication of potential problems. You just need to know what to look for. Windows Event Logs provide a blueprint of current conditions for the Windows systems. Applications and the built-in Windows Services use these event logs to record important hardware and software actions that the administrator can use to troubleshoot issues. The Windows operating system tracks specific events in its log files, such as application installations, system logins, network resource access, or errors.

Anatomy of a Windows Event

Here are some examples of data typically available via Windows Event Logs.

How Do I View Windows Events?

Windows Events can be viewed in Windows Event Viewer, which is built into every Windows installation (except for Windows Server Core). While Event Viewer is useful for viewing the local logs, it can also be used to connect to other Windows systems across your domain.

Generally, it is a good tool for troubleshooting single issues, but not ideal for looking at events from across your environment.

Should I Disable Windows Event Log?

No, the Windows Event Log is set to overwrite old entries at a maximum of 16mb for each category. You don’t have to worry about the event’s data filling up too much storage.

This is configurable via the properties in the Event Viewer for the individual log.

Windows Event Logs in observIQ – What Is Collected

In observIQ, you can add a Source to a deployed agent that will collect logs from the machine the agent is deployed on. Configuration information collected include the following as represented in the table below:

Configuration

Setting Up Log Collection for Windows Event Logs

Assuming you already have an observIQ Log Agent deployed on a Windows machine (and we’d be remiss not to mention our log agent, Stanza, is the official log agent of the OpenTelemetry project), a first step will be to add the Windows Event Log source to the agent you want to use to collect Windows Event Logs with.

You are given the opportunity to collect system, application, and security logs. You also can also define your own list of additional Event channels. If questions about which category of logs you wish to collect, each option includes a summary description of the logs collected. You can elect to collect all categories of logs as well.

If you want to collect logs in a custom format and potentially attach custom metadata, the source configuration dialogue box provides an advanced option to invoke that.

Once configured you now will have logs flowing in the Kibana log visualization element of observIQ Cloud.

Happy Loggin’.