Skip to main content
Sumo Logic

Collect Logs for the Windows App

This page provides instructions on configuring log collection for the Windows App, so that logs are collected from the Microsoft Windows Event Log and ingested into Sumo Logic. A sample log message and example query are also provided.

Log Types

Standard Windows event channels include:

  • Security
  • Application
  • System

Custom event channels, such as PowerShell or Internet Explorer are also supported.

Configure a Collector and a Source

To configure a collector and source, do the following:
  1. Configure an Installed Windows collector through the user interface or from the command line.
  2. Configure either a local or remote Windows Event Log source:

Sample Log Message

0
instance of Win32_NTLogEvent
{
    Category = 13571;
    CategoryString = "MPSSVC Rule-Level Policy Change";
    ComputerName = "aphrodite.sumolab.org";
    EventCode = 4957;
    EventIdentifier = 4957;
    EventType = 5;
    InsertionStrings = {"CoreNet-IPHTTPS-In", "Core Networking - IPHTTPS (TCP-In)", "Local Port"};
    Logfile = "Security";
    Message = "Windows Firewall did not apply the following rule:

    Rule Information:
    ID: CoreNet-IPHTTPS-In
    Name: Core Networking - IPHTTPS (TCP-In)

    Error Information:
    Reason: Local Port resolved to an empty set.";
    RecordNumber = 1441653878;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20130411232352.140400-000";
    TimeWritten = "20130411232352.140400-000";
    Type = "Audit Failure";
};

Query Sample

Recent Policy Changes

_sourceCategory=OS/Windows "Policy Change"
| parse regex "CategoryString = \"(?<category>[^\"]+?)\";[\s\S]+?Logfile = \"Security\""
| count by category
| where category matches "*Policy Change*"