# Windows Events | Platform | Metrics | Logs | Traces | | -------- | ------- | ---- | ------ | | Windows | | ✓ | | ### **Prerequisites for Remote Configuration** **Supported Versions:** * Windows Vista or later **Minimum Setup Requirements:** * **User Permissions:** * The user must be a member of the `Event Log Readers` group. * The user must have DCOM and WMI permissions for remote access. * **Firewall Configuration:** * Ensure the firewall rules allow the necessary ports: TCP 135, 445, and dynamic RPC ports (49152-65535). * **Windows Firewall Exception:** * Enable the "Remote Event Log Management" exception on the remote machine. ### **Configuration Table** **Windows Event Log Receiver**

Parameter	Type	Default	Description
system_event_input	bool	true	Enable the System event channel.
app_event_input	bool	true	Enable the Application event channel.
security_event_input	bool	true	Enable the Security event channel.
suppress_rendering_info	bool	false	When this is enabled, the source will not attempt to resolve rendering info. This can improve performance but comes at a cost of losing some details in the event log.
custom_channels	strings		Custom channels to read events from.

**Remote Configuration Options**

Parameter	Type	Description
remote.server	string	The server to connect to for remote event logs.
remote.username	string	The username to authenticate with the server.
remote.password	string	The password to authenticate with the server.
remote.domain	string	The domain of the server (optional).

**SID Resolution Options**

Parameter	Type	Default	Description
resolve_sids.enabled	bool	false	Enable Security Identifier (SID) resolution. When enabled, SID values in event logs (e.g., S-1-5-18) are resolved to human-readable account names (e.g., NT AUTHORITY\SYSTEM)
resolve_sids.cache_size	uint	10000	Maximum number of resolved SIDs to cache. Increase for environments with many unique accounts.
resolve_sids.cache_ttl	duration	15m	How long resolved SID entries are cached before re-lookup. Lower values detect account changes faster; higher values reduce API calls.

When SID resolution is enabled, the following Event data fields are added to log records (added alongside any field ending in Sid, such as SubjectUserSid or TargetUserSid): * {FieldName}\_Resolved - Fully qualified name (e.g., NT AUTHORITY\SYSTEM) * {FieldName}\_Domain - Domain name * {FieldName}\_Account - Account name * {FieldName}\_Type - Account type Common well-known SIDs (such as SYSTEM, BUILTIN\Administrators, LOCAL SERVICE, etc.) are resolved locally without requiring network calls. All other SIDs are resolved via the Windows LSA API, which automatically contacts the domain controller for domain-joined machines. If a SID cannot be resolved (invalid format, lookup failure), the original SID value is preserved, and processing continues normally. No events are dropped. ### Custom Channels To find the value for the custom channel name you can run the following commands on the Windows Server to find the value of the custom channel log name:\ `Get-WinEvent -ListLog *` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/integrations/sources/windows-events.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.