Skip to main content
Sumo Logic

Collect Logs for Windows App

This procedure explains how to collect logs from the Microsoft Windows Event Log and ingest them into Sumo Logic. 

Windows Performance is considered a separate data type.

Log Types

Standard Windows event channels include:

  • Security
  • Application
  • System

Custom event channels, such as PowerShell or Internet Explorer are also supported.

Configure a Collector

Configure an Installed Windows collector through the user interface or from the command line.

Configure a Source

Configure either a local or remote Windows Event Log source:

Sample Log Message

0
instance of Win32_NTLogEvent
{
    Category = 13571;
    CategoryString = "MPSSVC Rule-Level Policy Change";
    ComputerName = "aphrodite.sumolab.org";
    EventCode = 4957;
    EventIdentifier = 4957;
    EventType = 5;
    InsertionStrings = {"CoreNet-IPHTTPS-In", "Core Networking - IPHTTPS (TCP-In)", "Local Port"};
    Logfile = "Security";
    Message = "Windows Firewall did not apply the following rule:

    Rule Information:
    ID: CoreNet-IPHTTPS-In
    Name: Core Networking - IPHTTPS (TCP-In)

    Error Information:
    Reason: Local Port resolved to an empty set.";
    RecordNumber = 1441653878;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20130411232352.140400-000";
    TimeWritten = "20130411232352.140400-000";
    Type = "Audit Failure";
};

Query Sample

Recent Policy Changes

_sourceCategory=OS/Windows "Policy Change"
| parse regex "CategoryString = \"(?<category>[^\"]+?)\";[\s\S]+?Logfile = \"Security\""
| count by category
| where category matches "*Policy Change*"