Windows Events

Windows

✓

query_mode

enum

Channels

Querying mode to use. Valid values are Channels and XML. When set to Channels, choose from a list of preconfigured channels to collect from. When set to XML, specify channels and event filtering using an XML QueryList to target specific events.

system_event_input

bool

true

Enable the System event channel.

app_event_input

bool

true

Enable the Application event channel.

security_event_input

bool

true

Enable the Security event channel.

forwarded_events_input

bool

false

Enable the ForwardedEvents channel.

powershell_event_input

bool

false

Enable the Windows PowerShell event channel.

sysmon_input_channel

bool

false

Enable the Microsoft-Windows-Sysmon/Operational channel.

dns_server_event_input

bool

false

Enable the Microsoft-Windows-DNSServer/Operational channel.

mssql_event_input

bool

false

Collect Microsoft SQL Server events from the Application channel. Captures events from the Database Engine, SQL Agent, Analysis Services, Reporting Services, Integration Services, and Full-Text Filter Daemon for the configured instances.

mssql_instance_name

strings

MSSQLSERVER

The SQL Server instance names to collect events from.

custom_channels

strings

Custom channels to read events from.

query

xml

XML QueryList used to filter events being processed.

start_at

enum

end

Start reading logs from beginning or end.

collection_mode

enum

Streaming

Collection mode to use. When set to Streaming, the source streams events as they arrive. When set to Polling, the source polls for new events at a fixed interval.

polling_interval

float

5

The interval (seconds) at which the channel is checked for new log entries.

wait_timeout

float

5

Maximum duration (seconds) to wait for new events before performing a safety-net poll.

raw_logs

bool

true

When enabled, the XML log is not parsed into a structure but instead saved to the log body.

event_data_format

enum

map

Sets the format used to express Event Data in the parsed log body. Options are 'map' or 'array'. Only exposed if raw_logs is false.

suppress_rendering_info

bool

true

When this is enabled, the source will not attempt to resolve rendering info. This can improve performance but comes at a cost of losing some details in the event log.

include_log_record_original

bool

true

When enabled, the original log record is included in the log body.

ignore_channel_errors

bool

true

When enabled, prevents shutdown of collector when failing to open channels, and instead logs a warning.

enable_file_offset_storage

bool

true

When enabled, the current position in the Windows Events will be saved to disk, and reading will resume from where it left off after a collector restart.

offset_storage_directory

string

${OIQ_OTEL_COLLECTOR_HOME}/storage

The directory that the offset storage file will be created in.

enable_retry_on_failure

bool

true

Attempt to resend telemetry data that has failed to be transmitted to the destination.

retry_on_failure_initial_interval

int

1

Time (in seconds) to wait after the first failure before retrying.

retry_on_failure_max_interval

int

30

The upper bound (in seconds) on backoff.

retry_on_failure_max_elapsed_time

int

300

The maximum amount of time (in seconds) spent trying to send a batch, used to avoid a never-ending retry loop.

resolve_sids.enabled

bool

false

Enable Security Identifier (SID) resolution. When enabled, SID values in event logs (e.g., S-1-5-18) are resolved to human-readable account names (e.g., NT AUTHORITY\SYSTEM)

resolve_sids.cache_size

uint

10000

Maximum number of resolved SIDs to cache. Increase for environments with many unique accounts.

resolve_sids.cache_ttl

duration

15m

How long resolved SID entries are cached before re-lookup. Lower values detect account changes faster; higher values reduce API calls.