- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Common Schema (ECS)
- 67. Elasticsearch and Kibana
- 68. F5 BIG-IP
- 69. File Integrity Monitoring
- 70. FreeRADIUS
- 71. Google Chronicle
- 72. Graylog
- 73. HP ProCurve
- 74. IBM QRadar SIEM
- 75. Industrial Control Systems
- 76. Kubernetes
- 77. Linux Audit System
- 78. Linux system logs
- 79. Log Event Extended Format (LEEF)
- 80. LogPoint
- 81. Logstash
- 82. McAfee Enterprise Security Manager (ESM)
- 83. McAfee ePolicy Orchestrator
- 84. Microsoft Active Directory Domain Controller
- 85. Microsoft Azure
- 86. Microsoft Azure Event Hubs
- 87. Microsoft Azure Sentinel
- 88. Microsoft Exchange
- 89. Microsoft IIS
- 90. Microsoft SharePoint
- 91. Microsoft SQL Server
- 92. Microsoft System Center Endpoint Protection
- 93. Microsoft System Center Configuration Manager
- 94. Microsoft System Center Operations Manager
- 95. MongoDB
- 96. Nagios Log Server
- 97. Nessus Vulnerability Scanner
- 98. NetApp
- 99. .NET application logs
- 100. Nginx
- 101. Okta
- 102. Oracle Database
- 103. Osquery
- 104. Postfix
- 105. Promise
- 106. Raijin Database Engine
- 107. Rapid7 InsightIDR SIEM
- 108. RSA NetWitness
- 109. SafeNet KeySecure
- 110. Salesforce
- 111. Snare
- 112. Snort
- 113. Solarwinds Loggly
- 114. Splunk
- 115. Sumo Logic
- 116. Symantec Endpoint Protection
- 117. Synology DiskStation
- 118. Syslog
- 119. Sysmon
- 120. Ubiquiti UniFi
- 121. VMware vCenter
- 122. Windows AppLocker
- 123. Windows Command Line Auditing
- 124. Windows Event Log
- 125. Windows Firewall
- 126. Windows Group Policy
- 127. Windows Management Instrumentation (WMI)
- 128. Windows PowerShell
- 129. Microsoft Windows Update
- 130. Windows USB auditing
- 131. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
124.1. About Windows Event Log
Windows Event Log captures the details of both system and application events. When such an event occurs, Windows records it in the event log. The event log is then used to find details about the event and can be helpful when troubleshooting problems. Beside their use for IT related purposes, Windows Event Logs are also used to satisfy compliance mandates.
Unlike other event logs, such as the UNIX Syslog, Windows Event Log is not stored as a plain text file, but in a proprietary binary format. It is not possible to view Windows Event Log in a text editor, nor is it possible to send it as a Syslog event while retaining its original format. However, the raw event data can be translated into XML using the Windows Event Log API and forwarded in that format.
124.1.1. The EVTX file format
Windows stores Windows Event Log files in the EVTX file format since the
release of Windows
Vista and Windows Server 2008. Prior to that, event log files were
stored in the EVT file format. Both are proprietary formats readable by
the Microsoft Management Console (MMC) snap-in eventvwr.msc.
The EVTX format includes many new features and enhancements: a number of new event properties, the use of channels to publish events, a new Event Viewer, a rewritten Windows Event Log service, and support for the Extensible Markup Language (XML) format. From a log processing perspective, the added support for XML is the most important addition, as it provides the possibility to share or further process the event data in a structured format.
For the built in channels, Windows automatically saves the corresponding EVTX
file into the C:\Windows\System32\winevt\Logs\ directory. Events can also be
saved manually from the Event Viewer MMC snap-in, in four different formats:
EVTX, XML, TXT, and CSV.
NXLog can directly read EVTX and EVT files using the im_msvistalog
File directive. In addition, the
CaptureEventXML directive of the same
module can be used to store and send raw XML-formatted event data in the
$EventXML field.
124.1.2. Viewing the Windows Event Log
The Windows Event Log can be viewed in the Event Viewer MMC snap-in included in Windows. Windows Event Logs are stored in a binary source data format, which is the "source" or "on-disk" format. It does not include the full message, only the event properties. When an event is rendered, property values are inserted into the localized message template stored elsewhere on disk.
The Event Viewer includes three views for displaying the data for a selected event. These are shown on the preview pane or in the Event Properties window when an event is opened.
-
The general view is shown by default. It includes the full message rendered from template and the "System" set of key/value pairs.
-
The Friendly View is available on the Details tab. It shows a hierachical view of the System properties and additional EventData properties defined by the event provider. It does not show a rendered message.
-
The XML View can be selected under the Details tab. It shows the event properties in XML format. It does not show a rendered message.
A Windows Event Log event in XML format<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> [...] <Channel>Security</Channel> <Computer>USER-WORKSTATION</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> [...] </EventData> </Event>
Events can be accessed through the Event Log API (see Windows Event Log Functions on Microsoft Docs). In particular:
-
EvtQuery() fetches events from a given channel or log file that match a given query—see Querying for Events.
-
EvtFormatMessage() generates a message string for an event using the event properties and the localized message template—see Formatting Event Messages.
124.1.3. Event channels
The EVTX format introduces event channels. A channel is a stream of events that collects events from a publisher and writes them to an event log file.
Channels are organized into two groups:
-
The Windows Logs group contains a set of exactly five channels, which are used for Windows system events.
-
The Applications and Services Logs group contains channels created for individual applications or components. These channels are further organized in a folder hierarchy.
There are two channel types indicating how the events are handled:
-
Serviced channels offer relatively low volume, reliable delivery of events. Events in these channels may be forwarded to another system, and these channels may be subscribed to.
-
Direct channels are for high-performance collection of events. It is not possible to subscribe to a a direct channel. By default, these channels are disabled. To see these channels in the Event Viewer, check Show Analytic and Debug Logs in the View menu. To enable logging for one of these channels, select the channel, open the Action menu, click Properties, and check Enable logging on the General tab.
Each of the above is subdivided into two more channel types according to the the intended audience for the events collected by that channel:
-
Administrative channels collects events for end users, administrators, and support. This is a serviced channel type.
-
Operational channels collect events used for diagnosing problems. This is a serviced channel type.
-
Analytic channels are for events that describe program operation. These channels often collect a high volume of events. This is a direct channel type.
-
Debug channels are intended to be used by developers only. This is a direct channel type.
| Channel Groups | Channels | Channel Type |
|---|---|---|
Windows Logs |
Application |
Administrative (serviced) |
Security |
Administrative (serviced) |
|
Setup |
Operational (serviced) |
|
System |
Administrative (serviced) |
|
Forwarded Events |
Operational (serviced) |
|
Applications and Services Logs |
DHCP-Server/Admin |
Administrative (serviced) |
DHCP-Server/AuditLogs |
Analytic (direct) |
|
DHCP-Server/DebugLogs |
Debug (direct) |
|
(And many more publisher-defined channels) |
||
The im_msvistalog module can be configured to collect events from a specific channel with the Channel directive.
For more information about event channels, see these two pages on Microsoft Docs: Event Logs and Event Logs and Channels in Windows Event Log.
124.1.4. Providers
Event log providers write events to event logs. An event log provider can be a service, driver, or program that runs on the computer and has the necessary instrumentation to write to the event log.
Event providers are categorized into four main types.
-
Manage Object Format (MOF) providers (also referred to as "classic")
-
Windows Software Trace Preprocessor (WPP) providers
-
Manifest-based providers
-
TraceLogging providers
For more information on providers, see the Providers section in the Microsoft Windows documentation.