Collect Forwarded Events from a Windows Event Collector

Create a Windows Event Log Source

To configure a Windows Event Log Source

1. In Sumo Logic select Manage Data > Collection > Collection.
2. Find the name of the installed collector to which you'd like to add a source. Click Add and then choose Add Source from the pop-up menu.
3. Select the Windows Event Log source.
4. Choose Local or Remote for Type of Windows Source. Remote types require you to configure a few settings to enable remote access. A Remote Windows Event Log Source uses a single Sumo Logic Collector to collect Windows event log entries from multiple remote systems.
5. Set the following:
   • Name. Type the name you'd like to display for this source in the Sumo Logic Web Application. 
   • Description. Optional description.
   • Windows host(s). (Remote Source only) Enter one or more hostnames for the Windows machines from which you want to collect Windows Events. If you'd like to collect from more than one remote host, separate the hostnames with a comma. (If you enter more than one hostname, each host must allow event log access from the same domain user. See the prerequisites for more information.) The hostname can be a maximum of 128 characters.
     The hostname values are parsed and applied to your event logs as _sourceHost metadata automatically. The value is parsed from the field Computer in your event logs.
   • Source Category. Enter a string to tag the logs collected from this Source with searchable metadata. For example, typing web_apps tags all the logs from this Source in the sourceCategory field. For more information, see Metadata Naming Conventions and our Best Practices: Good Source Category, Bad Source Category.
     You can define a Source Category value using system environment variables, see Configuring sourceCategory using variables below.
   • Fields. Click the +Add Field link to add custom log metadata Fields.
     • Define the fields you want to associate, each field needs a name (key) and value. 
       •  A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
       •  An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
   • Windows Domain. (Remote Source only) Type the name of the Windows domain, the username for this host, and the password. 
   • Event Format. Select how you want your event logs formatted:

     

     • Collect using legacy format. Events retain their default text format from Windows.
     • Collect using JSON format. Events are formatted into JSON that is designed to work with Sumo Logic features, making it easier for you to reference your data.
   • Windows Event Types. Select Forwarded Events. If you have custom Forwarded Event Channels you can additionally specify them in the Custom Event Channels textbox. 

     

     If you need to collect from different channels you need to create a separate Source for each Windows Event Type. For example, each of the following types should have its own dedicated Source:

     • Collect Standard Event Channels Application, System, and Security.
     • Collect Forwarded Events
     • Custom Event Channels (except for custom forwarding channels)
        
   • Custom Event Channels allows you to specify, in a comma-separated list, the channels you'd like to collect from. You can specify custom Forwarded Events Channels. If you need help finding channels on the machine where the Source is installed, see Windows Event Source Custom Channels. 
   • Depending on the Event Format selected, you'll have different options.
     • Event Collection Level. When JSON format is selected you have the option to select:

       

       • Complete Message will ingest the entire event content along with metadata.
       • Concise Message will ingest the first line of event messages along with all of the metadata.
       • Metadata Only will ingest metadata fields from each event, including event ID and timestamp.
     • Metadata. When the legacy format is selected choose whether you would like the collector to minimize the amount of data collected by omitting the full message text of each event. Core metadata fields such as event ID, timestamp, user name, as well as the unformatted event data will still be present. This can reduce data usage and increase event throughput, but will prevent many dashboards and apps from correctly extracting data.

       

   • Collection should begin. Choose or enter how far back you'd like to begin collecting historical logs. You can either:
     • Choose a predefined value from dropdown list, ranging from “Now” to “24 hours ago” to “All Time”, or
     • Enter a relative value. To enter a relative value, click the Collection should begin field and press the delete key on your keyboard to clear the field. Then, enter a relative time expression, for example “-1w”. You can define when you want collection to begin in terms of months (M), weeks (w), days (d), hours (h) and minutes (m).
   • Security Identifier. Collectors on version 19.182 or later can map security identifiers (SIDs) to usernames. During collection, the Security ID field in your log message (if you selected Complete Message) is translated into the format of your choice. Choose:
     • Both Security Identifier and Username
     • Security Identifier Only
     • Username Only (Default)
       
       For example, in the following snippet of a security event message we have chosen both Security Identifier and Username:

       "An account was logged off.

       Subject:
    Security ID:        NT AUTHORITY\SYSTEM (S-1-5-18)
    Account Name:        IP-C6136038$
    Account Domain:        CORP
    Logon ID:        0x1B522D52

       If we would have chosen Security Identifier Only, the Security ID field would be S-1-5-18.
       If we would have chosen Username Only, the Security ID field would be NT AUTHORITY\SYSTEM.
   • Create any Processing Rules you'd like for the new Source.
6. Click Save.

You can return to this dialog and edit the settings for the Source at any time.

Configuring sourceCategory using variables