| query_mode | enum | Channels | Querying mode to use. Valid values are Channels and XML. When set to Channels, choose from a list of preconfigured channels to collect from. When set to XML, specify channels and event filtering using an XML QueryList to target specific events. |
| system_event_input | bool | true | Enable the System event channel. |
| app_event_input | bool | true | Enable the Application event channel. |
| security_event_input | bool | true | Enable the Security event channel. |
| forwarded_events_input | bool | false | Enable the ForwardedEvents channel. |
| powershell_event_input | bool | false | Enable the Windows PowerShell event channel. |
| sysmon_input_channel | bool | false | Enable the Microsoft-Windows-Sysmon/Operational channel. |
| dns_server_event_input | bool | false | Enable the Microsoft-Windows-DNSServer/Operational channel. |
| mssql_event_input | bool | false | Collect Microsoft SQL Server events from the Application channel. Captures events from the Database Engine, SQL Agent, Analysis Services, Reporting Services, Integration Services, and Full-Text Filter Daemon for the configured instances. |
| mssql_instance_name | strings | MSSQLSERVER | The SQL Server instance names to collect events from. |
| custom_channels | strings | | Custom channels to read events from. |
| query | xml | | XML QueryList used to filter events being processed. |
| start_at | enum | end | Start reading logs from beginning or end. |
| collection_mode | enum | Streaming | Collection mode to use. When set to Streaming, the source streams events as they arrive. When set to Polling, the source polls for new events at a fixed interval. |
| polling_interval | float | 5 | The interval (seconds) at which the channel is checked for new log entries. |
| wait_timeout | float | 5 | Maximum duration (seconds) to wait for new events before performing a safety-net poll. |
| raw_logs | bool | true | When enabled, the XML log is not parsed into a structure but instead saved to the log body. |
| event_data_format | enum | map | Sets the format used to express Event Data in the parsed log body. Options are 'map' or 'array'. Only exposed if raw_logs is false. |
| suppress_rendering_info | bool | true | When this is enabled, the source will not attempt to resolve rendering info. This can improve performance but comes at a cost of losing some details in the event log. |
| include_log_record_original | bool | true | When enabled, the original log record is included in the log body. |
| ignore_channel_errors | bool | true | When enabled, prevents shutdown of collector when failing to open channels, and instead logs a warning. |
| enable_file_offset_storage | bool | true | When enabled, the current position in the Windows Events will be saved to disk, and reading will resume from where it left off after a collector restart. |
| offset_storage_directory | string | ${OIQ_OTEL_COLLECTOR_HOME}/storage | The directory that the offset storage file will be created in. |
| enable_retry_on_failure | bool | true | Attempt to resend telemetry data that has failed to be transmitted to the destination. |
| retry_on_failure_initial_interval | int | 1 | Time (in seconds) to wait after the first failure before retrying. |
| retry_on_failure_max_interval | int | 30 | The upper bound (in seconds) on backoff. |
| retry_on_failure_max_elapsed_time | int | 300 | The maximum amount of time (in seconds) spent trying to send a batch, used to avoid a never-ending retry loop. |