To configure a Local or Remote Windows Event Source, you must identify the channels to collect from. This page explains how to obtain this list of channel names from your systems, and describes channels which the Sumo Logic collector cannot process.
Obtaining channel names
To find the available event channels for collection, execute the following PowerShell commands from an administrator PowerShell prompt. Then copy and paste the channel names into Source's Custom Events Channels text box.
Enter the following command into PowerShell:
# to see channels listed in the standard order Get-WinEvent -ListLog * # to sort more active channels to the top of the list Get-WinEvent -ListLog * | sort RecordCount -Descending # to see channels present on a remote computer Get-WinEvent -ListLog * -ComputerName <hostname>
The output will include a list of channels, along with the number of event records currently in those channels:
LogMode MaximumSizeInBytes RecordCount LogName ------- ------------------ ----------- ------- Circular 20971520 59847 Application Circular 20000000 29339 Microsoft-Windows-Store/Operational Circular 20971520 21903 Security Circular 4194304 10098 Microsoft-Windows-GroupPolicy/Operational Circular 5242880 9568 Microsoft-Windows-StateRepository/Operational Circular 15728640 7066 Windows PowerShell Circular 5242880 4644 Microsoft-Windows-AppXDeploymentServer/Operational Circular 8388608 4114 Microsoft-Windows-SmbClient/Connectivity Circular 1052672 2843 Microsoft-Windows-EapHost/Operational Circular 1052672 2496 Microsoft-Client-Licensing-Platform/Admin
In the output, the
LogName column contains the channel names to enter, comma-separated, into the Source's Custom Events Channels text box. You do not need to reenter the names of the standard Application, System, or Security logs, which are already selectable via check boxes.
For example, to collect events from the top 5 most active channels shown above, select the Application and Security check boxes, then enter the following string into the text box:
You can also obtain a list of channel names from the cmd.exe console by running the following command:
rem List channels on the local system wevtutil.exe enum-logs rem List channels on a remote system wevtutil.exe enum-logs /remote:<hostname>
The Sumo Logic collector does not collect events from the following channels:
- Analytic ETW channels
- Debug ETW channels