Skip to main content
Sumo Logic

Local Windows Event Log Source

Set up a Local Windows Event Log Source to collect local events you would normally see in the Windows Event Viewer. Setting up a Local Windows Event Source is a quick process. There are no prerequisites for setting up the source, and you'll begin collecting logs within a minute or so.

Local Windows Event Log Sources are only for collecting Windows Event Logs. All other types of log sources need to be configured either as a Remote File Source or as a Local File Source.

To configure a Local Windows Event Log Source

  1. In Sumo Logic select Manage Data > Collection > Collection.
  2. Find the name of the installed collector to which you'd like to add a source. Click Add and then choose Add Source from the pop-up menu.
  3. Click Windows Event Log.
  4. Choose Local for Type of Windows Source.
  5. Set the following:
    • Name. Type the name you'd like to display for the new source. 
    • Description is optional.
    • Source Category. Enter a string used to tag the output collected from this source with searchable metadata. For example, typing web_apps tags all the logs from this source in the sourceCategory field, so running a search on _sourceCategory=web_apps would return logs from this source. For more information, see Metadata Naming Conventions.
      If the source you are configuring is on the same installed collector as a Docker log source, you can construct the Source Category metadata field using Docker variables. For more information, see Configuring sourceCategory using variables below.
    • Windows Event Types. Select the event types you want to collect:
      • Standard Event Channels. Select the main check box for all types, or individual check boxes for specific types (Security, Application, and/or System).
      • Custom Event Channels to specify, in a comma-separated list, the channels you'd like to collect from. If you need help finding channels on the machine where the source is installed, see Windows Event Source Custom Channels


    • Metadata. Choose whether you would like the collector to minimize the amount of data collected by omitting the full message text of each event. Core metadata fields such as event ID, timestamp, user name, as well as the unformatted event data will still be present. This can reduce data usage and increase event throughput, but will prevent many dashboards and apps from correctly extracting data.

      event metadata setting

    • Collection should begin. Choose or enter how far back you'd like to begin collecting historical logs. You can either:
      • Choose a predefined value from dropdown list, ranging from “Now” to “24 hours ago” to “All Time”, or
      • Enter a relative value. To enter a relative value, click the Collection should begin field and press the delete key on your keyboard to clear the field. Then, enter a relative time expression, for example “-1w”. You can define when you want collection to begin in terms of months (M), weeks (w), days (d), hours (h) and minutes (m).
    • Security Identifier. Newer collectors can map security identifiers (SIDs) to usernames. Choose:
      • Both Security Identifier and Username
      • Security Identifier Only
      • Username Only
    • Create any Processing Rules you'd like for the new Source.
  6. Click Save.

You can return to this dialog and edit the settings for the Source at any time.

Configuring sourceCategory using variables

In Collector version 19.216-22 and later, if you have a Docker Logs Source on the same Installed Collector where you are configuring the new Source, you can define the Source Category and Source Host, if the Source supports that field, for the new Source using system environment variables defined on the Collector’s host. To do so, specify the environment variables to include the metadata field in this form:


Where VAR_NAME is an environment variable name, for example:


You can use multiple variables, for example:

{{sys.PATH}} - {{sys.YourEnvVar}}

You can incorporate text in the metadata expression, for example:

AnyTextYouWant {{sys.PATH}} - {{sys.YourEnvVar}}

If a user-defined variable doesn’t exist, that portion of the metadata field will be blank.