You can use Logtail plug-ins to collect Windows event logs. This topic describes how to create a Logtail configuration that is used to collect Windows event logs in the Log Service console.

Prerequisites

  • Logtail V1.0.0.0 or later is installed on a Windows server. For more information, see Install Logtail on a Windows server.
  • The server from which you want to collect logs continuously generates logs.
    Important Logtail collects only incremental logs. If a log file on a server is not updated after the applied Logtail configuration is delivered to the server, Logtail does not collect logs from the file. For more information, see Read log files.

Implementation

To obtain event logs, Windows operating systems provide Windows Event Log API and Event Logging API. Windows Event Log API is an upgraded version of Event Logging API and is provided only in the Windows Vista operating system or later. For more information, see Windows Event Log and Event Logging. Logtail plug-ins automatically select an API based on the operating system to obtain Windows event logs. Windows Event Log API is preferentially selected.

The publish-subscribe model is used to collect Windows event logs. An application or kernel publishes event logs to a specified channel, such as an application, security, or system channel. Logtail uses the required plug-in to call Windows Event Log API or Event Logging API to subscribe to the channel. This way, Logtail can continuously collect event logs and send the logs to Log Service.

Logtail allows you to collect event logs from multiple channels at a time. For example, you can collect event logs from the application and system channels at a time.

Implementation

View the information about a channel

You can view the information about a channel in the Event Viewer window of your Windows server.

  1. Click Start.
  2. Search for and click Event Viewer. The Event Viewer window appears.
  3. In the left-side navigation pane, expand Windows Logs.
  4. View the full name of a channel.
    Right-click a channel below Windows Logs and select Properties. In the window that appears, you can view the full name of the channel. The following channels are provided:
    • Application
    • Security
    • Setup
    • System
  5. View the information about a channel.
    Click the channel below Windows Logs. Then, you can view Level, Date and Time, Source, and Event ID of each event.

    In a Logtail configuration, you can filter logs based on the preceding information.

    Event logs

Procedure

  1. Log on to the Log Service console.
  2. In the Import Data section, click Windows Event Logs.
  3. Select the project and Logstore. Then, click Next.
  4. In the Create Machine Group step, create a machine group.
    • If a machine group is available, click Use Existing Machine Groups.
    • If no machine groups are available, perform the following steps to create a machine group. In this example, an Elastic Compute Service (ECS) instance is used.
      1. On the ECS Instances tab, select Manually Select Instances. Then, select the ECS instance that you want to use and click Create.

        For more information, see Install Logtail on ECS instances.

        Important If your server is an ECS instance that belongs to a different Alibaba Cloud account than Log Service, a server from a third-party cloud service provider, or an on-premises server in a data center, you must manually install Logtail. For more information, see Install Logtail on a Windows server. After you manually install Logtail, you must configure a user identifier on the server. For more information, see Configure a user identifier.
      2. After Logtail is installed, click Complete Installation.
      3. In the Create Machine Group step, configure the Name parameter and click Next.

        Log Service allows you to create IP address-based machine groups and custom identifier-based machine groups. For more information, see Create an IP address-based machine group and Create a custom identifier-based machine group.

  5. Select the new machine group from Source Server Groups and move the machine group to Applied Server Groups. Then, click Next.
    Important If you apply a machine group immediately after you create the machine group, the heartbeat status of the machine group may be FAIL. This issue occurs because the machine group is not connected to Log Service. To resolve this issue, you can click Automatic Retry. If the issue persists, see What do I do if no heartbeat connections are detected on Logtail?
  6. In the Specify Data Source step, configure the Config Name and Plug-in Config parameters. Then, click Next.
    • inputs specifies the collection configurations of your data source. This parameter is required.
      Important You can specify only one type of data source in the inputs parameter.
    • processors specifies the processing configurations that are used to parse data. You can extract fields, extract log time, desensitize data, and filter logs. This parameter is optional. You can specify one or more processing methods. For more information, see Overview.
    For example, if you want to collect logs from the Application and System channels, you can add the following elements to the inputs parameter:
    {
        "inputs": [
            {
                "type": "service_wineventlog",
                "detail": {
                    "Name": "Application",
                    "IgnoreOlder": 259200
                }
            },
            {
                "type": "service_wineventlog",
                "detail": {
                    "Name": "System",
                    "IgnoreOlder": 259200
                }
            }
        ]
    }
    Parameter Type Required Description
    type String Yes The type of the data source. Set the value to service_wineventlog.
    Name String Yes The name of the channel from which you want to collect event logs. Default value: Application. This value indicates that event logs are collected from the Application channel. You can view the full name of a channel in the Windows operating system. For more information, see Step 4.
    IgnoreOlder UINT No The time offset. You can configure this parameter to filter logs by event time. Unit: seconds. If the event time of a log is earlier than the start time of collection minus the offset, the log is ignored. The event time indicates the time when a log is generated. Examples:
    • If you set the value to 3600, logs that are generated 1 hour before the start time of collection are ignored.
    • If you set the value to 14400, logs that are generated 4 hours before the start time of collection are ignored.

    By default, this parameter is left empty, which indicates that logs are not filtered by event time. In this case, all historical event logs on your server are collected.

    Note This parameter takes effect only when the first time you create a Logtail configuration. Logtail records checkpoints for the collection of event logs. This prevents logs from being repeatedly collected.
    Level String No The event level. You can configure this parameter to filter logs by event level. Default value: information, warning, error, critical. This value indicates that logs of all event levels except verbose are collected. Available levels include information, warning, error, critical, and verbose. You can specify multiple event levels and separate the event levels with commas (,).
    Note This parameter is available only when Windows Event Log API is used. This parameter is supported only in the Windows Vista operating system or later.
    EventID String No The event ID. You can configure this parameter to filter logs by event ID. You can specify an event ID or a range of event IDs for positive filtering. In this case, the log with the specified event ID or the logs with the specified event IDs are collected. You can also specify an event ID for negative filtering. In this case, the log with the specified event ID is not collected. By default, this parameter is left empty, which indicates that all event logs are collected. Examples:
    • 1-200: Only the event logs whose event IDs are in the range from 1 to 200 are collected.
    • 20: Only the event log whose event ID is 20 is collected.
    • -100: All event logs except the event log whose event ID is 100 are collected.
    • 1-200,-100: Event logs whose event IDs are in the range from 1 to 200 except 100 are collected.

    You can specify multiple event IDs or event ID ranges and separate them with commas (,).

    Note This parameter is available only when Windows Event Log API is used. This parameter is supported only in the Windows Vista operating system or later.
    Provider String array No The event source. You can configure this parameter to filter logs by event source. For example, if you set the value to ["App1", "App2"], only event logs whose sources are App1 and App2 are collected.

    By default, this parameter is left empty, which indicates that event logs of all sources are collected.

    Note This parameter is available only when Windows Event Log API is used. This parameter is supported only in the Windows Vista operating system or later.
    IgnoreZeroValue Boolean No Some fields in an event log may be empty. You can configure this parameter to filter out empty fields. You can define empty fields based on the data type of the fields. For example, if the data type of an empty field is integer, specify 0 for the field.

    Default value: false. This value indicates that empty fields are not filtered out.

  7. Preview data, configure indexes, and then click Next.
    By default, full-text indexing is enabled for Log Service. You can also configure field indexes based on collected logs in manual mode or automatic mode. To configure field indexes in automatic mode, click Automatic Index Generation. This way, Log Service automatically creates field indexes. For more information, see Create indexes.
    Important If you want to query and analyze logs, you must enable full-text indexing or field indexing. If you enable both full-text indexing and field indexing, the system uses only field indexes.
  8. Click Log Query. You are redirected to the query and analysis page of your Logstore.
    You must wait approximately 1 minute for the indexes to take effect. Then, you can view the collected logs on the Raw Logs tab. For more information, see Query and analyze logs.

Troubleshooting

If no data is displayed on the preview page or query page after logs are collected by using Logtail, you can troubleshoot the errors based on the instructions that are provided in What do I do if errors occur when I use Logtail to collect logs?

What to do next

After Windows event logs are collected to Log Service, you can view the logs in the Log Service console. Raw log
Log field Description
activity_id The global transaction identifier (GTID) of the transaction to which the event belongs. Events that belong to the same transaction use the same GTID.
computer_name The name of the server on which the event is generated.
event_data The data that is related to the event.
event_id The ID of the event.
kernel_time The kernel time that is consumed by the event. In most cases, the value is 0.
keywords The keyword that is associated with the event. Keywords are used to classify events.
level The level of the event.
log_name The name of the channel from which the logs of the event are collected. The value of this field is the same as the value of the Name parameter that is specified in your Logtail configuration.
message The message that is associated with the event.
message_error The error that occurred when the message associated with the event was parsed.
opcode The operation code that is associated with the event.
process_id The process ID of the event.
processor_id The processor ID that is associated with the event. In most cases, the value is 0.
processor_time The processor time that is consumed by the event. In most cases, the value is 0.
provider_guid The GTID of the event source.
record_number The record number that is associated with the event. The record number increases when an event is written to Log Service. If the number exceeds 2 32 for Event Logging API or 2 64 for Windows Event Log API, the record number starts from 0 again.
related_activity_id The GTID of another transaction that is associated with the transaction to which the event belongs.
session_id The session ID of the event. In most cases, the value is 0.
source_name The source of the event. The value of this field is the same as the value of the Provider parameter that is specified in your Logtail configuration.
task The task that is associated with the event.
thread_id The thread ID of the event.
type The API that is used to obtain the event.
user_data The user data that is associated with the event.
user_domain The user domain that is associated with the event.
user_identifier The Windows security identifier of the user that is associated with the event.
user_name The username that is associated with the event.
user_time The time that is consumed by the event in user mode. In most cases, the value is 0.
user_type The user type that is associated with the event.
version The version of the event.
xml The raw information of the event. The information is in the XML format.