Windows Event logs
The agent monitors the Windows Security event log to provide visibility into authentication attempts, process creation, and system security events. This enables real-time auditing of user activity and helps detect potential security threats on Windows hosts.
Setup
Windows Event monitoring is enabled by default on supported Windows systems. The agent automatically enables the SeSecurityPrivilege at runtime to read the Security channel. It also uses the Windows Registry to store bookmarks, ensuring log collection resumes seamlessly after a restart.
Expected log format
The collector interacts directly with the Windows Event Log service (wevtapi). It automatically transforms raw XML event data into human-readable messages and structured metadata. No manual log formatting is required.
Configuration
Security event collection is enabled by default. The agent subscribes to the Security channel and streams new events to your dashboard. No additional configuration is required.
Logs
The agent extracts key security fields and humanizes raw event IDs into descriptive messages:
Labels
| Label | Description | Example / Values |
|---|---|---|
EventId | The unique identifier for the event type. | 4624 (Logon), 4688 (Process Creation) |
AccountName | The user account associated with the event. | SYSTEM, Administrator, jdoe |
ProcessName | The application or service that triggered the event. | lsass.exe, cmd.exe |
source | Identifies the origin collector. | winevent |