Windows Event Log source

The eventlog source subscribes to Windows Event Log channels and streams events in real time.

This source is only available on Windows.

Configuration

{
  "sources": {
    "security": {
      "type": "eventlog",
      "channel": "Security"
    }
  }
}

Options

Option	Type	Default	Description
`channel`	string	required for XPath queries	Event log channel name (e.g. `"Security"`, `"Application"`, `"System"`)
`query`	string	`""`	XPath 1.0 or structured XML query to filter events
`buffer`	int	`128`	Maximum events buffered between reads. Events are dropped if the buffer fills.

Examples

Collect Security events

{
  "sources": {
    "security": {
      "type": "eventlog",
      "channel": "Security"
    }
  }
}

Filter with an XPath query

{
  "sources": {
    "login-failures": {
      "type": "eventlog",
      "channel": "Security",
      "query": "*[System[EventID=4625]]"
    }
  }
}

Multiple channels

{
  "sources": {
    "security": {
      "type": "eventlog",
      "channel": "Security"
    },
    "application": {
      "type": "eventlog",
      "channel": "Application"
    },
    "system": {
      "type": "eventlog",
      "channel": "System"
    }
  }
}

Event fields

Field	Value
`sourceType`	`"eventlog"`
`rawLog`	Event data

On this page