Collect Windows event log data sources with Log Analytics agent
Windows Event logs are one of the most common data sources for Log Analytics agents on Windows virtual machines since many applications write to the Windows event log. You can collect events from standard logs such as System and Application in addition to specifying any custom logs created by applications you need to monitor.
This article covers collecting Windows events with the Log Analytics agent which is one of the agents used by Azure Monitor. Other agents collect different data and are configured differently. See Overview of Azure Monitor agents for a list of the available agents and the data they can collect.
Configuring Windows Event logs
Configure Windows Event logs from the Agents configuration menu for the Log Analytics workspace.
Azure Monitor only collects events from the Windows event logs that are specified in the settings. You can add an event log by typing in the name of the log and clicking +. For each log, only the events with the selected severities are collected. Check the severities for the particular log that you want to collect. You cannot provide any additional criteria to filter events.
As you type the name of an event log, Azure Monitor provides suggestions of common event log names. If the log you want to add does not appear in the list, you can still add it by typing in the full name of the log. You can find the full name of the log by using event viewer. In event viewer, open the Properties page for the log and copy the string from the Full Name field.
Critical events from the Windows event log will have a severity of "Error" in Azure Monitor Logs.
Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created. The agent records its place in each event log that it collects from. If the agent goes offline for a period of time, then it collects events from where it last left off, even if those events were created while the agent was offline. There is a potential for these events to not be collected if the event log wraps with uncollected events being overwritten while the agent is offline.
Azure Monitor does not collect audit events created by SQL Server from source MSSQLSERVER with event ID 18453 that contains keywords - Classic or Audit Success and keyword 0xa0000000000000.
Windows event records properties
Windows event records have a type of Event and have the properties in the following table:
|Computer||Name of the computer that the event was collected from.|
|EventCategory||Category of the event.|
|EventData||All event data in raw format.|
|EventID||Number of the event.|
|EventLevel||Severity of the event in numeric form.|
|EventLevelName||Severity of the event in text form.|
|EventLog||Name of the event log that the event was collected from.|
|ParameterXml||Event parameter values in XML format.|
|ManagementGroupName||Name of the management group for System Center Operations Manager agents. For other agents, this value is
|RenderedDescription||Event description with parameter values|
|Source||Source of the event.|
|SourceSystem||Type of agent the event was collected from.
OpsManager – Windows agent, either direct connect or Operations Manager managed
Linux – All Linux agents
AzureStorage – Azure Diagnostics
|TimeGenerated||Date and time the event was created in Windows.|
|UserName||User name of the account that logged the event.|
Log queries with Windows Events
The following table provides different examples of log queries that retrieve Windows Event records.
|Event||All Windows events.|
|Event | where EventLevelName == "error"||All Windows events with severity of error.|
|Event | summarize count() by Source||Count of Windows events by source.|
|Event | where EventLevelName == "error" | summarize count() by Source||Count of Windows error events by source.|