Set up Windows Event Logging

Windows event log monitoring monitors event logs generated in the system viewer of all Windows devices in your network. Alerts are generated depending on the conditions specified in the monitor.

The Windows event log monitoring involves the following functions:

Defining the preprocessing policy in the cloud.
Receiving, preprocessing, and normalizing the logs in the agent.

Configure Windows event log monitoring using one of the following methods.

Creating a template
Assigning the template from devices

Configure an event log monitor when creating a template

Select a client from the All Clients list.
Go to Setup > Monitoring > Templates.
Click + Add.

Enter the following information:


Property	Description
Select Template Scope	(required) Template scope: Partner Template Client-specific Template
Client	(required) If Client-specific Template is selected, drop-down client list.
Collector Type	(required) For Windows event logs, select Agent.
Applicable For	(required) Select G1 Monitors or G2 Monitors.
Template Name	(required) Template name.
Description	(required) Template description.
Generation	Generation template belongs to. Prepopulated depending on the Applicable For selection.
Version	Template version. Fixed value = `1`.
Tags	User-defined tags for easy reference.
Prerequisites	User-defined prerequisites of what to consider when using this template.
Status	Template status: (default) Active EOL: end-of-life Inactive
Notes	Template notes.
Template Family Name	User-defined template family name.
Deployment Type	Deployment type: Custom Optional (default) Standard

Expand the Event Log Monitor section by clicking + Add.

Enter the following properties:


Property	Description
Frequency	Log monitoring frequency. Recommended: 15 minutes.
Alert	Select to initiate monitoring.
Priority	Priority level: P0 P1 P2 P3
Log Type	For each category you want to associate with the event logs, select the severity level(s): All: Select all severity levels. Error Critical Information Success Warning
Articles	Knowledge base articles to attach to the template. Choose Select or Modify and select from the list of articles.
Source	Source names to monitor the events. You can enter multiple comma-separated sources.
Event Ids	Required event IDs. You can enter multiple comma-separated event IDs.
Message String	Event description or regex to to match against monitored events. You can enter multiple message strings separated by `$$`. The message string field supports both normal and regex strings. the following characters must be preceded by the `\` escape character: `[`,`]`,`{`,`}`,`(`,`)`,`$`,`+`,`*`,`/`,`\`
Alert Component	The Alerts Component field requires users to enter the component name. The purpose of adding the Alert Component is that if the eventlog source names and eventid are the same but the message search string is different, the agent will create a separate eventlog alert based on the given component name. The Alerts Component field is optional, and the alert component support is only available for the included drop-down filter.
Included/Excluded	From the drop-down, select: Included: Monitor only the specified source name and event IDs or both from the specified input selected categories. Excluded: Skip specified source name and event IDs, or both, monitoring from the input selected categories.

Click Save to apply the configuration parameters.
After configuring an event log monitor, the agent begins collecting data according to the specified event log parameters and sends them to the cloud.

Configure an event log monitor when assigning a resource template

When event fields match the configured selection criteria those events sent as a critical alert.

Select a client from the All Clients list.
Go to Infrastructure > Resources and select the resource you want from the list of resources. You can use the search option to find a resource.
Click the resource name to view resource details.
Now, go to Monitors > Monitors > +AssignMonitors.

In Add Monitor page, select Agent from Collector Type and Category as Event Log Monitor and then enter the following details:


Property	Description
Frequency	Log monitoring frequency. Recommended: 15 minutes.
Alert	Select to initiate monitoring.
Priority	Priority level: P0 P1 P2 P3
Log Type	For each category you want to associate with the event logs, select the severity level(s): All: Select all severity levels. Error Critical Information Success Warning
Articles	Knowledge base articles to attach to the template. Choose Select or Modify and select from the list of articles.
Source	Source names to monitor the events. You can enter multiple comma-separated sources.
Event Ids	Required event IDs. You can enter multiple comma-separated event IDs.
Message String	Event description or regex to to match against monitored events. You can enter multiple message strings separated by `$$`. The message string field supports both normal and regex strings. the following characters must be preceded by the `\` escape character: `[`,`]`,`{`,`}`,`(`,`)`,`$`,`+`,`*`,`/`,`\`
Alert Component	The Alerts Component field requires users to enter the component name. The purpose of adding the Alert Component is that if the eventlog source names and eventid are the same but the message search string is different, the agent will create a separate eventlog alert based on the given component name. The Alerts Component field is optional, and the alert component support is only available for the included drop-down filter.
Included/Excluded	From the drop-down, select: Included: Monitor only the specified source name and event IDs or both from the specified input selected categories. Excluded: Skip specified source name and event IDs, or both, monitoring from the input selected categories.

Click Save to apply the configuration parameters.