Skip to main content
Sumo Logic

Windows Event Source Custom Channels

To configure a Local or Remote Windows Event Source, you must identify the channels to collect from. This page explains how to obtain this list of channel names from your systems, and describes channels which the Sumo Logic collector cannot process.

Obtaining channel names

To find the available event channels for collection, execute the following PowerShell commands from an administrator PowerShell prompt. Then copy and paste the channel names into Source's Custom Events Channels text box.
window_custom_channels.png

Enter the following command into PowerShell:

# to see channels listed in the standard order
Get-WinEvent -ListLog *

# to sort more active channels to the top of the list
Get-WinEvent -ListLog * | sort RecordCount -Descending

# to see channels present on a remote computer
Get-WinEvent -ListLog * -ComputerName <hostname>

The output will include a list of channels, along with the number of event records currently in those channels:

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            20971520       59847 Application
Circular            20000000       29339 Microsoft-Windows-Store/Operational
Circular            20971520       21903 Security
Circular             4194304       10098 Microsoft-Windows-GroupPolicy/Operational
Circular             5242880        9568 Microsoft-Windows-StateRepository/Operational
Circular            15728640        7066 Windows PowerShell
Circular             5242880        4644 Microsoft-Windows-AppXDeploymentServer/Operational
Circular             8388608        4114 Microsoft-Windows-SmbClient/Connectivity
Circular             1052672        2843 Microsoft-Windows-EapHost/Operational
Circular             1052672        2496 Microsoft-Client-Licensing-Platform/Admin

In the output, the LogName column contains the channel names to enter, comma-separated, into the Source's Custom Events Channels text box. You do not need to reenter the names of the standard Application, System, or Security logs, which are already selectable via check boxes.

For example, to collect events from the top 5 most active channels shown above, select the Application and Security check boxes, then enter the following string into the text box:

Microsoft-Windows-Store/Operational,Microsoft-Windows-GroupPolicy/Operational,Microsoft-Windows-StateRepository/Operational

You can also obtain a list of channel names from the cmd.exe console by running the following command:

rem List channels on the local system
wevtutil.exe enum-logs

rem List channels on a remote system
wevtutil.exe enum-logs /remote:<hostname>

Unsupported channels

The Sumo Logic collector does not collect events from the following channels:

  • Analytic ETW channels
  • Debug ETW channels
  • Forwarded event channels