Table of Contents

MetricsHub®
MetricsHub Enterprise 3.9.00

Windows Event Log Monitoring

You can configure MetricsHub to monitor Windows Event Logs.

In the example below, we configured MetricsHub to:

  • collect Security Windows Event Logs
  • keep only Windows Event Logs indicating failures
  • translate the number of failures into a numerical metric.

Procedure

To achieve this use case, follow these steps:

  • Declare the resource to be monitored (prod-win-web) and its attributes (host.name, host.type)
resources:
  prod-win-web:
    attributes:
      host.name: prod-win-web
      host.type: windows
  • Configure the WMI protocol with credentials and timeout
    protocols:
      wmi:
        username: <username>
        password: <password>
        timeout: 240

Important: For large Windows Event Logs, make sure you configure a high enough timeout (e.g. 240 seconds).

  • Configure the monitor job targeting the desired Windows Event Logs
    monitors:
      logs:
        simple:
  • Collect Windows Events from the Security Log
          sources:
            # Columns
            # 1.RecordNumber, 2.TimeGenerated, 3.TimeWritten, 4.EventCode, 5.EventType, 6.EventIdentifier,
            # 7.SourceName, 8.InsertionStrings, 9.Message, 10.LogFile
            windowsEventLogSource:
              type: eventLog
              logName: Security
              sources: Microsoft-Windows-Security-Auditing
              maxEventsPerPoll: 20
  • Filter and count Windows Event Logs indicating failures
              computes:
              - type: awk
                script: 'BEGIN {c=0} /failed./ {c++} END {print c}'
  • Create identification attributes
          mapping:
            # Mapping is executed on the result produced by the source (after computes are applied).
            source: ${source::windowsEventLogSource}
            attributes:
              id: Microsoft-Windows-Security-Auditing
              log.name: Security
              log.pattern: ".*failed.*"
  • Extract and expose the windows.event.logs metric
            metrics:
              # Emit a single datapoint: number of rows that matched after the awk script.
              windows.event.logs: $1

Here is the complete YAML configuration:

resources:
  prod-win-web:
    attributes:
      host.name: prod-win-web
      host.type: windows
    protocols:
      wmi:
        username: <username>
        password: <password>
        timeout: 240
    monitors:
      logs:
        simple:
          sources:
            # Columns
            # 1.RecordNumber, 2.TimeGenerated, 3.TimeWritten, 4.EventCode, 5.EventType, 6.EventIdentifier,
            # 7.SourceName, 8.InsertionStrings, 9.Message, 10.LogFile
            windowsEventLogSource:
              type: eventLog
              logName: Security
              sources: Microsoft-Windows-Security-Auditing
              maxEventsPerPoll: 20
              computes:
              - type: awk
                script: 'BEGIN {c=0} /failed./ {c++} END {print c}'
          mapping:
            # Mapping is executed on the result produced by the source (after computes are applied).
            source: ${source::windowsEventLogSource}
            attributes:
              id: Microsoft-Windows-Security-Auditing
              log.name: Security
              log.pattern: ".*failed.*"
            metrics:
              # Emit a single datapoint: number of rows that matched after the awk script.
              windows.event.logs: $1

Supporting Resources

windows eventlog WMI monitoring observability opentelemetry otel
Links:
  • [1] ../configuration/configure-monitoring.html#step-3-configure-resources
  • [2] ../configuration/configure-monitoring.html#resource-attributes
  • [3] ../configuration/configure-monitoring.html#wmi
  • [4] ../configuration/configure-monitoring.html#winrm
  • [5] ../configuration/configure-monitoring.html#customize-data-collection
No results.