Editing a Windows Event Log Source

Procedure

  1. On the Collection tab, double-click the selected Log Source or just select it and click the Edit button.
    The Windows Events Log Source Edition tab is displayed.
  2. In the General part of the screen, you can modify the following information:
    Option Description
    Log Source Enabled Click ON or OFF to define whether the current Log Source is enabled or disabled.
    Name Name of the Log Source.

    For example, ls-win-template

    Description Description of the Log Source.
  3. In the Forwarding Connection part of the screen, you can modify the following information:
    Option Description
    Name Select the Forwarding connection to which you want to forward collected Windows Event logs. See Editing the Forwarding Collection List to edit the forwarding collection list.
    LogLogic® Universal Collector Collection date Define whether the log message sent to the LogLogic LMI server remains in a local system time zone or is converted into UTC time zone.
  4. In the Message Filtering part of the screen, you can modify the following information:
    Option Description
    [Filtering] Click ON or OFF to activate or deactivate the option.
    Event ID Filter Regular expression to filter the Windows event ID.

    For example,

    “567|^58[1-9]” means that the events with an Event ID containing 567 but also those from 581 to 589 inclusive are collected.

    “^(8.*)|^(5[2-9].*)” means that the events with an ID starting with 8 but also those starting with 52 to 59 inclusive are collected.

    If the field is empty or .* is set means that no filter is set.

    Refer to Regular Expressions to get the list of characters used in regular expressions.

    and/or Select if you want to use both filters at the same time or one or another
    Source Filter Enter a regular expression to filter Windows events on source field.

    For example,

    “Security” means that all the events with a Security source field are filtered.

    “DNS Client Events” means that all the events with a DNS Client Events source field are filtered.

    “Time-Service” means that all the events with a time-Service source field are filtered.

    If the field is empty or .* is set means that no filter is set.

    Refer to Regular Expressions to get the list of characters used in regular expressions.

  5. In the Collection part of the screen, you can modify the following information:
    Option Description
    [Location]
    Local/Remote host Indicate whether the Windows host from which to poll logs is the local machine or a remote host.
    Host name Enter the IPv4 / IPv6 address or hostname of the remote Windows server.
    [Credentials]
    Use LogLogic® Universal Collector service credentials/Use custom credentials Select the relevant options to use the correct Windows credentials.
    Note: If you have configured credentials in the LogLogic® Universal Collector Windows Services Control Panel, you can use those credentials to create multiple Windows Event Log Collections. To do this, select the LogLogic® Universal Collector service credentials option.
    Domain (if Use custom credentials is set) Enter the domain name to access the Windows server.

    For example, domain.company

    Login (if Use custom credentials is set) Enter the login to connect to the Windows server. If the user has non-administrator privileges, ensure that the prerequisites specified in the section Windows Event Logs are met.
    Note: If the login belongs to a local user with administrator privileges, the User Account Control (UAC) needs to be turned off at the event host.
    Password (if Use custom credentials is set) To connect to the Windows server, enter a password
    [Windows Event Logs]
    Collect Define the Windows Event Logs journals to include. It can be either:

    - all event logs = all current and logs to come are collected

    - all event logs except the following ones = all current and event logs to come are collected except the one indicated in the List form.

    - only the following event logs = only the following event logs indicated in the List form are collected

    List List of Event Logs to include or exclude.
    Edit List Displays the Edit List window to select the event logs to be collected:

    1 - In the Available Event Logs pane, select an event log and click Add. This will add the logs to the list.

    2 - If you want to remove them from the list, select them and click Remove.

    3 - If you want to manually add an Event Log, enter the name and click Add. Ensure that you entered the name correctly as it is case-sensitive.

    4 - Click OK.

    Note: If you want to display all the Event Logs available, click the Discover Event Logs button.
    [Advanced]
    Polling Period Enter the time period (in seconds) after which LogLogic® Universal Collector checks for new Windows events.

    Default value: 10

    Windows type Specify the platform from the drop-down list.
    Note: If you do not specify the platform type, LogLogic® Universal Collector will try to auto-discover the platform type. However, if the user has non-administrator privileges, LogLogic® Universal Collector will fail to auto-discover the platform type.
    Language type Specify the language type from the drop-down list.
    Note: If you do not specify the type, by default it will be assigned as English.
    Detect the Originating IP for Forwarded Events Detects the originating IP of the forwarded events.
    Note: Ensure that the function is switched On and the DNS resolution is working properly or configure HOSTS file on the LogLogic® Universal Collector server.
  6. Click Apply to validate the changes.