Windows Event Collector

The agent collects logs from the Windows event log system, specifically monitoring the Security channel to provide visibility into authentication and system security events.

How it works

The agent uses the winevent collector to subscribe to security events. It captures data like logon attempts, process creation, and policy changes directly from the Windows event log service.

Event humanization

Windows events are processed to transform raw XML data into human-readable messages. This involves mapping event IDs to descriptive sentences and replacing internal numeric tokens (e.g., %%1832) with clear labels like Identification.

Key fields like EventId, AccountName, and ProcessName are preserved as structured metadata, while low-context noise and internal hex IDs are filtered out.

Access requirements

The agent requires the SeSecurityPrivilege to read the security log channel. In standard service installations, the agent automatically enables this privilege at runtime.