Windows Event Log

Edit online

The OS agent uses the .conf file to monitor events from the Windows Event Log.

The OS agent continues to use the WINEVENTLOGS configuration (.conf) file option to monitor events from the Windows Event Log. The agent monitors a comma-separated list of event logs as shown in the following example:

WINEVENTLOGS=System,Security,Application

The OS agent also continues to use the WINEVENTLOGS=All setting. The All setting refers to the following standard event logs: Security, Application, System, Directory, Domain Name System (DNS), and File Replication Service (FRS) that come with Windows versions earlier than 2008. However, all the event logs on the system are not checked.

The UseNewEventLogAPI configuration file tag allows the event log (Windows Event Log 2008 or later) to access any new logs added by Microsoft, and any Windows event logs created by other applications or the user. The new logs are listed by the WINEVENTLOGS keyword.

In the following example, the UseNewEventLogAPI tag is set to y.

UseNewEventLogAPI=y
WINEVENTLOGS=Microsoft-Windows-Hyper-V-Worker-Admin

In this example, the Microsoft-Windows-Hyper-V/Admin is monitored on a Windows system that has the Hyper-V role.

In the Windows Event Log, each event has the following fields in this order:

  • Date in the following format: month, day, time, and year
  • Event category as an integer
  • Event Level
  • Windows security ID. Any spaces in the Windows security ID are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
    Note: SpaceReplacement=TRUE is the default if you set UseNewEventLogAPI to y in the (.conf) file (designated that you are using the event log).
  • Windows source. Any spaces in the Windows source are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
  • Windows event log keywords. Any spaces in the Windows event log keywords are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
    Note: The keyword field that is described here is new to the Windows 2008 version of Event Log. It did not exist in the previous Event Log, and so its presence prevents you from reusing your old Event Log format statements directly. They must be modified to account for this additional field.
  • Windows event identifier
  • Message text

For example, when an administrative user logs on to a Windows 2008 system, an event is generated in the Security log indicating the privileges that are assigned to the new user session:

Mar 22 13:58:35 2011 1 Information N/A Microsoft-Windows-
Security-Auditing Audit_Success 4672 Special privileges assigned to new logon. 
S-1-5-21-586564200-1406810015-1408784414-500    Account Name: 
Administrator   Account Domain:     MOLDOVA     Logon ID: 
0xc39cb8e    Privileges:        SeSecurityPrivilege  
SeBackupPrivilege          SeRestorePrivilege  
SeTakeOwnershipPrivilege            SeDebugPrivilege 
SeSystemEnvironmentPrivilege            SeLoadDriverPrivilege      
SeImpersonatePrivilege
To capture all events that were created by the Microsoft-Windows-Security-Auditing event source, you write a format statement as shown here: 
REGEX BaseAuditEvent
^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]
{4}) [0-9] (\S+) (\S+) Microsoft-Windows-Security-Auditing (\S+)
([0-9]+) (.*)
timestamp $1
severity $2
login $3
eventsource "Microsoft-Windows-Security-Auditing"
eventkeywords $4
eventid $5
msg $6
END
For the previous example event, the following example indicates the values that are assigned to slots: 
timestamp=Mar 22 13:58:35 2011
severity=Information
login=N/A
eventsource=Microsoft-Windows-Security-Auditing
eventid=4672
msg="Special privileges assigned to new logon.
S-1-5-21-586564200-1406810015-1408784414-500    Account Name: 
Administrator   Account Domain:     MOLDOVA     Logon ID: 
0xc39cb8e    Privileges:        SeSecurityPrivilege  
SeBackupPrivilege          SeRestorePrivilege  
SeTakeOwnershipPrivilege            SeDebugPrivilege 
SeSystemEnvironmentPrivilege            SeLoadDriverPrivilege      
SeImpersonatePrivilege

Because it is difficult to anticipate exactly what these events look like, a useful approach to writing your regular expressions is to capture the actual events in a file. Then, you can examine the file, choose the events that you want the agent to capture, and write regular expressions to match these events. To capture all events from your Windows Event Log, use the following steps:

  1. Create a format file that contains only one pattern that does not match anything, as shown in the following example: 
    REGEX NoMatch
This doesn't match anything
END
  2. Add the following setting to the configuration (.conf) file: 
    UnmatchLog=C:/temp/evlog.unmatch
  3. Run the agent and capture some sample events.