Windows event logs provide an in-depth record of events related to the system, security, and application stored on a Windows operating system. Windows event log provides information about hardware and software events occurring on a Windows operating system. For more information about the events refer the Microsoft Event Viewer documentation.
Integration Method: Data Collector
Tables: File System Activity (1001), Device Config State (5002), Authentication (3002), Datastore Activity (6005), Device Config State Change (5019), Account Change (3001), Entity Management (3004), Network Activity (4001), Application Lifecycle (6002), DHCP Activity (4004), Event Log Activity (1008), Application Error (6008), Process Activity (1007).
Prerequisites
The user should have a compatible version of the Windows system and configure the data collector.
The user should have access to the DataBee console.
Configuration Overview
Install the Data Collector on your machine and configure filters for the data feed.
Install the Data Collector
Create Windows Event Log Data Feed in the DataBee console.
Data Collector Configuration
In order to receive Windows Event Logs, a Data Collector must be installed and configured. The data collector reads logs from Windows Event Viewer and sends them to DataBee, encrypted. For more information, refer to the Data Collector article.
Note:
The Data Collector needs to be installed where the event viewer logs are accessible.
Windows Configuration
Configure Filters
Open Event Viewer App.
In the Event Viewer app, select a Windows Logs. On the right-hand side, under the ‘Actions’ panel, click on Create Custom View.
You can choose the relevant filters as needed to refine your results such as Event Level, Event IDs and more.
Click the XML tab, copy the query for later use, and then click OK.
DataBee supports the following event types:
Channel | Event | Description |
|---|---|---|
Security | 1102 | The audit log was cleared |
4618 | A monitored security event pattern has occurred | |
4692 | Backup of data protection master key was attempted | |
4693 | Recovery of data protection master key was attempted | |
4713 | Kerberos policy was changed | |
4714 | Encrypted data recovery policy was changed | |
4715 | The audit policy (SACL) on an object was changed | |
4716 | Trusted domain information was modified | |
4719 | System audit policy was changed | |
4724 | An attempt was made to reset an account's password | |
4727 | A security-enabled global group was created | |
4754 | A security-enabled universal group was created | |
4755 | A security-enabled universal group was changed | |
4794 | An attempt was made to set the Directory Services Restore Mode | |
4897 | Role separation enabled | |
4964 | Special groups have been assigned to a new logon | |
4624 | An account was successfully logged on | |
System | 19 | Installation Successful: Windows successfully installed the update |
6005 | The Event log service was started. | |
6006 | The Event log service was stopped. | |
6011 | The NetBIOS name and DNS host name of this machine have been changed | |
50036 | DHCPv4 client service is started | |
50037 | DHCPv4 client service is stopped. | |
50103 | DHCPv4 client registered for shutdown notification | |
50104 | DHCPv4 client received shutdown notification | |
50105 | DHCPv4 client ProcessDHCPRequestForever received TERMINATE_EVENT | |
50106 | DHCPv4 is waiting on DHCPv6 service to stop | |
51046 | DHCPv6 client service is started | |
51047 | DHCPv6 client service is stopped | |
51057 | DHCPv6 client service stop is almost done | |
10148 | The WinRM service is listening for WS-Management requests. | |
10149 | The WinRM service is not listening for WS-Management requests. | |
Application | 8198 | License Activation (slui.exe) failed |
1014 | Acquisition of End User License failed | |
1040 | Beginning a Windows Installer transaction | |
1042 | Ending a Windows Installer transaction | |
1033 | Windows Installer installed the product | |
1034 | Windows Installer remove the product | |
1036 | Windows Installer update the product |
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for Windows Event Log and click it as shown below.
Click on the Data Collector option for collection method.
Click on the Windows Events option to poll windows events from windows machine.
Enter the feed contact information, select the collector that you have created, and click on the Next button.
Fill the required details to configure the data feed,
Refresh Interval (seconds): Select 1 second to achieve optimum performance. The available options are 1, 5, 10, and 20.
Channels: Enter the Channel name Security, Application or System from which the Data Collector will retrieve events.
Read Historical Event (optional): Enable Read Historical Events to collect all existing events (disabled by default). This may cause duplicate data.
Query (optional): To filter data, paste the query for the relevant filter from the earlier step.
Click on the Next button.
Click on the Submit button.
Troubleshooting Tips
If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting article for detailed guidance.