Windows event log record provides a standardized and centralized method for recording critical software and hardware events for both applications and the operating system. When an unexpected error occurs with an application, hardware component, or operating system, Windows event logs enable you to diagnose the root cause of the error. This document will guide you on how to collect Windows event logs and submit them to the CLS using LogListener (Windows edition).
2. In the left sidebar, select Log Topic. Then, select the log topic you want to ship and click its name to access the log topic management page.
3. Select the Collection Configuration tab, and click Add in the Windows event collection configuration column.
Step 2: Managing Machine Groups
1. After you have created or selected the log topic, proceed to Machine Group Management for configuration.
2. Select the Windows machine group from which you want to collect logs in the list of machine groups.
If you want to select a new machine group, click Create now, select Windows for System, and associate the target Windows server by IP or machine identification. For details, see Machine Group. After completing the creation, select the newly created machine group in the machine group list.
3. Click Next to enter the Collection Configuration process.
Step 3: Collection Configuration
On the Collection Configuration page, configure the rules for Windows event collection. After you have completed the configuration, click Next.
Configuring Event Collection Rules
A collection configuration enables you to configure multiple event collection rules, with each rule including the following configuration items:
Configuration Item
Required
Description
Event channel
Yes
It indicates the event channel designated for target collection, with the following configuration options available:
Application (application event): Records events generated by applications, such as software crashes, configuration changes, and error messages.
System (system event): Records events related to operating system components, such as drivers, system services, and hardware issues.
Security (security event): Records events related to security, such as user logins/logouts, permission changes, and audit policy changes.
Setup (configuration event): Records events related to system setup and configuration changes.
ALL (all events).
Note:
It is recommended that each event channel on a server be dedicated to a single collection configuration. Using the same event channel for multiple collection configurations can result in data duplication.
Start time
Yes
The following two options are supported:
Custom time: Event logs will be collected starting from the time you specify.
Full collection: All event logs from the server will be collected. Note: If an event exceeds the retention period set by the Windows system, its logs will not be collected.
Custom Time
Yes
It is required to specify the time for collecting event logs when Start time is set to Custom time.
Event ID
No
Support positive filtering for specific values (such as 20) or value ranges (such as 0-20), as well as negative filtering for individual values (such as -20). Multiple filter criteria can be separated by commas. For example, "1-200,-100" indicates that event logs will be collected within the range of 1-200, excluding those with an event ID of 100.
Step 4: Index Configuration
In the Index Configuration process, set the following information:
Index Status: Select whether to enable it.
Note:
The index configuration must be enabled for retrieval, otherwise the retrieval cannot be performed.
Full-Text Index: Select whether to set it to case-sensitive.
Full-Text Delimiter: It has a default value of @&()='",;:<>[]{}/ \\n\\t\\r. You can modify it as needed.
Key-Value Index: It is enabled by default and populated based on Windows event log fields. To disable it, set
to
.
Note:
Enabling key-value indexing along with full-text indexing does not incur any extra fees.
Step 5: Search and Analysis
At this point, you have completed the collection configuration of Windows event logs. Next, you can go to the Log Search page to view the logs.
Log Field Explanation
Field Name
Description
computer_name
Name of the node that generates the current event.
keywords
Keyword associated with the current event, used for event categorization.
level
Level of the current event.
channel
Channel name of the current event.
event_data
Data related to the current event.
message
Messages associated with the current event.
opcode
Operation code associated with the current event.
process.pid
Process ID of the current event.
type
API used to obtain the current event.
version
Version number of the current event.
record_id
Record number associated with the current event.
event_id
ID of the current event.
task
Task associated with the current event.
provider_guid
Global transaction ID of the current event's source.
activity_id
Global transaction ID of the event's associated activity. All events occurring within this activity will share the same global transaction ID.
process.thread.id
Thread ID of the current event.
provider_name
Source of the current event.
raw_data
Original information of the current event, in XML format.
