Ctrlk
PricingSign inRequest a Demo
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Windows Event Forwarding

Collect events forwarded to a Windows Event Collector via the ForwardedEvents channel.

Platform
Metrics
Logs
Traces

Windows

Configuration Table

Parameter
Type
Default
Description

start_at

enum

end

Start reading logs from beginning or end.

collection_mode

enum

Streaming

Collection mode to use. When set to Streaming, the source streams events as they arrive. When set to Polling, the source polls for new events at a fixed interval.

polling_interval

float

5

The interval (seconds) at which the channel is checked for new log entries.

wait_timeout

float

5

Maximum duration (seconds) to wait for new events before performing a safety-net poll.

resolve_sids.enabled

bool

false

Enable Security Identifier (SID) resolution. When enabled, SID values in event logs (e.g., S-1-5-18) are resolved to human-readable account names (e.g., NT AUTHORITY\SYSTEM). For more information, seeSID Resolution.

resolve_sids.cache_size

uint

10000

Maximum number of resolved SIDs to cache. Increase for environments with many unique accounts.

resolve_sids.cache_ttl

duration

15m

How long resolved SID entries are cached before re-lookup. Lower values detect account changes faster; higher values reduce API calls.

raw_logs

bool

true

When enabled, the XML log is not parsed into a structure but instead saved to the log body.

event_data_format

enum

map

Sets the format used to express Event Data in the parsed log body. Options are 'map' or 'array'. Only exposed if raw_logs is false.

suppress_rendering_info

bool

true

When this is enabled, the source will not attempt to resolve rendering info. This can improve performance but comes at a cost of losing some details in the event log.

include_log_record_original

bool

true

When enabled, the original log record is included in the log body.

ignore_channel_errors

bool

true

When enabled, prevents shutdown of collector when failing to open channels, and instead logs a warning.

enable_file_offset_storage

bool

true

When enabled, the current position in the Windows Events will be saved to disk, and reading will resume from where it left off after a collector restart.

offset_storage_directory

string

${OIQ_OTEL_COLLECTOR_HOME}/storage

The directory that the offset storage file will be created in.

enable_retry_on_failure

bool

true

Attempt to resend telemetry data that has failed to be transmitted to the destination.

retry_on_failure_initial_interval

int

1

Time (in seconds) to wait after the first failure before retrying.

retry_on_failure_max_interval

int

30

The upper bound (in seconds) on backoff.

retry_on_failure_max_elapsed_time

int

300

The maximum amount of time (in seconds) spent trying to send a batch, used to avoid a never-ending retry loop.

SID Resolution

When SID resolution is enabled, the following Event data fields are added to log records (added alongside any field ending in Sid, such as SubjectUserSid or TargetUserSid):

  • {FieldName}_Resolved - Fully qualified name (e.g., NT AUTHORITY\SYSTEM)

  • {FieldName}_Domain - Domain name

  • {FieldName}_Account - Account name

  • {FieldName}_Type - Account type

Common well-known SIDs (such as SYSTEM, BUILTIN\Administrators, LOCAL SERVICE, etc.) are resolved locally without requiring network calls. All other SIDs are resolved via the Windows LSA API, which automatically contacts the domain controller for domain-joined machines.

If a SID cannot be resolved (invalid format, lookup failure), the original SID value is preserved, and processing continues normally. No events are dropped.

PreviousWindows Remote CollectionNextWindows Event Trace (ETW)

Last updated

Was this helpful?