search
PricingSign inRequest a Demo

Windows Events

Platform
Metrics
Logs
Traces

Windows

hashtag
Prerequisites for Remote Configuration

Supported Versions:

  • Windows Vista or later

Minimum Setup Requirements:

  • User Permissions:

    • The user must be a member of the Event Log Readers group.

    • The user must have DCOM and WMI permissions for remote access.

  • Firewall Configuration:

    • Ensure the firewall rules allow the necessary ports: TCP 135, 445, and dynamic RPC ports (49152-65535).

  • Windows Firewall Exception:

    • Enable the "Remote Event Log Management" exception on the remote machine.

hashtag
Configuration Table

Windows Event Log Receiver

Parameter
Type
Default
Description

system_event_input

bool

true

Enable the System event channel.

app_event_input

bool

true

Enable the Application event channel.

security_event_input

bool

true

Enable the Security event channel.

suppress_rendering_info

bool

false

When this is enabled, the source will not attempt to resolve rendering info. This can improve performance but comes at a cost of losing some details in the event log.

custom_channels

strings

Custom channels to read events from.

Remote Configuration Options

Parameter
Type
Default
Description

remote.server

string

The server to connect to for remote event logs.

remote.username

string

The username to authenticate with the server.

remote.password

string

The password to authenticate with the server.

remote.domain

string

The domain of the server (optional).

SID Resolution Options

Parameter
Type
Default
Description

resolve_sids.enabled

bool

false

Enable Security Identifier (SID) resolution. When enabled, SID values in event logs (e.g., S-1-5-18) are resolved to human-readable account names (e.g., NT AUTHORITY\SYSTEM)

resolve_sids.cache_size

uint

10000

Maximum number of resolved SIDs to cache. Increase for environments with many unique accounts.

resolve_sids.cache_ttl

duration

15m

How long resolved SID entries are cached before re-lookup. Lower values detect account changes faster; higher values reduce API calls.

When SID resolution is enabled, the following Event data fields are added to log records (added alongside any field ending in Sid, such as SubjectUserSid or TargetUserSid):

  • {FieldName}_Resolved - Fully qualified name (e.g., NT AUTHORITY\SYSTEM)

  • {FieldName}_Domain - Domain name

  • {FieldName}_Account - Account name

  • {FieldName}_Type - Account type

Common well-known SIDs (such as SYSTEM, BUILTIN\Administrators, LOCAL SERVICE, etc.) are resolved locally without requiring network calls. All other SIDs are resolved via the Windows LSA API, which automatically contacts the domain controller for domain-joined machines.

If a SID cannot be resolved (invalid format, lookup failure), the original SID value is preserved, and processing continues normally. No events are dropped.

hashtag
Custom Channels

To find the value for the custom channel name you can run the following commands on the Windows Server to find the value of the custom channel log name: Get-WinEvent -ListLog *

PreviousWindows DHCPNextWindows Event Trace (ETW)

Last updated

Was this helpful?