97.1. About Windows Event Log
Windows Event Log captures the details of both system and application events. When such an event occurs, Windows records it in the event log. The event log is then used to find details about the event and can be helpful when troubleshooting problems. Beside their use for IT related purposes, Windows Event Logs are also used to satisfy compliance mandates.
Unlike other event logs, such as the UNIX Syslog, Windows Event Log is not stored as a plain text file, but in a proprietary binary format. It is not possible to view Windows Event Log in a text editor, nor is it possible to send it as a Syslog event while retaining its original format. However, the raw event data can be translated into XML using the Windows Event Log API and forwarded in that format.
97.1.1. The EVTX File Format
Windows stores Windows Event Log files in the EVTX file format since the
release of Windows
Vista and Windows Server 2008. Prior to that, event log files were
stored in the EVT file format. Both are proprietary formats readable by
the Microsoft Management Console (MMC) snap-in eventvwr.msc.
The EVTX format includes many new features and enhancements: a number of new event properties, the use of channels to publish events, a new Event Viewer, a rewritten Windows Event Log service, and support for the Extensible Markup Language (XML) format. From a log processing perspective, the added support for XML is the most important addition, as it provides the possibility to share or further process the event data in a structured format.
For the built in channels, Windows automatically saves the corresponding EVTX
file into the C:\Windows\System32\winevt\Logs\ directory. Events can also be
saved manually from the Event Viewer MMC snap-in, in four different formats:
EVTX, XML, TXT, and CSV.
NXLog can directly read EVTX and EVT files using the im_msvistalog
File directive. In addition, the
CaptureEventXML directive of the same
module can be used to store and send raw XML-formatted event data in the
$EventXML field.
97.1.2. Viewing the Windows Event Log
The Windows Event Log can be viewed in the Event Viewer MMC snap-in included in Windows. Windows Event Logs are stored in a binary source data format, which is the "source" or "on-disk" format. It does not include the full message, only the event properties. When an event is rendered, property values are inserted into the localized message template stored elsewhere on disk.
The Event Viewer includes three views for displaying the data for a selected event. These are shown on the preview pane or in the Event Properties window when an event is opened.
-
The general view is shown by default. It includes the full message rendered from template and the "System" set of key/value pairs.
-
The Friendly View is available on the Details tab. It shows a hierachical view of the System properties and additional EventData properties defined by the event provider. It does not show a rendered message.
-
The XML View can be selected under the Details tab. It shows the event properties in XML format. It does not show a rendered message.
A Windows Event Log event in XML format<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> [...] <Channel>Security</Channel> <Computer>USER-WORKSTATION</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> [...] </EventData> </Event>
Events can be accessed through the Event Log API (see Windows Event Log Functions on Microsoft Docs). In particular:
-
EvtQuery() fetches events from a given channel or log file that match a given query—see Querying for Events.
-
EvtFormatMessage() generates a message string for an event using the event properties and the localized message template—see Formatting Event Messages.
97.1.3. Event Channels
The EVTX format introduces event channels. A channel is a stream of events that collects events from a publisher and writes them to an event log file.
Channels are organized into two groups:
-
The Windows Logs group contains a set of exactly five channels, which are used for Windows system events.
-
The Applications and Services Logs group contains channels created for individual applications or components. These channels are further organized in a folder hierarchy.
There are two channel types indicating how the events are handled:
-
Serviced channels offer relatively low volume, reliable delivery of events. Events in these channels may be forwarded to another system, and these channels may be subscribed to.
-
Direct channels are for high-performance collection of events. It is not possible to subscribe to a a direct channel. By default, these channels are disabled. To see these channels in the Event Viewer, check Show Analytic and Debug Logs in the View menu. To enable logging for one of these channels, select the channel, open the Action menu, click Properties, and check Enable logging on the General tab.
Each of the above is subdivided into two more channel types according to the the intended audience for the events collected by that channel:
-
Administrative channels collects events for end users, administrators, and support. This is a serviced channel type.
-
Operational channels collect events used for diagnosing problems. This is a serviced channel type.
-
Analytic channels are for events that describe program operation. These channels often collect a high volume of events. This is a direct channel type.
-
Debug channels are intended to be used by developers only. This is a direct channel type.
| Channel Groups | Channels | Channel Type |
|---|---|---|
Windows Logs |
Application |
Administrative (serviced) |
Security |
Administrative (serviced) |
|
Setup |
Operational (serviced) |
|
System |
Administrative (serviced) |
|
Forwarded Events |
Operational (serviced) |
|
Applications and Services Logs |
DHCP-Server/Admin |
Administrative (serviced) |
DHCP-Server/AuditLogs |
Analytic (direct) |
|
DHCP-Server/DebugLogs |
Debug (direct) |
|
(And many more publisher-defined channels) |
||
The im_msvistalog module can be configured to collect events from a specific channel with the Channel directive.
For more information about event channels, see these two pages on Microsoft Docs: Event Logs and Event Logs and Channels in Windows Event Log.
97.1.4. Providers
Event log providers write events to event logs. An event log provider can be a service, driver, or program that runs on the computer and has the necessary instrumentation to write to the event log.
Event providers are categorized into four main types.
-
Manage Object Format (MOF) providers (also referred to as "classic")
-
Windows Software Trace Preprocessor (WPP) providers
-
Manifest-based providers
-
TraceLogging providers
For more information on providers, see the Providers section in the Microsoft Windows documentation.
97.1.5. XPath Filtering
XPath queries can be used to request and filter events, both in the Event Viewer and with the im_msvistalog QueryXML directive.
The Event Viewer offers the most practical way to write and test query strings. An XPath query can be generated and/or tested by filtering the current log or creating a custom view.
-
In the Event Viewer, right-click an event channel and select Filter Current Log from the context menu. The Filter tab of the Filter Current Log dialog box displays the options for basic filtering.
-
Specify the desired criteria. The corresponding XPath query on the XML tab will be updated automatically.
-
To view the query string, switch to the XML tab. This string can be copied into the im_msvistalog QueryXML directive.
-
If required, advanced filtering can be done by selecting the Edit query manually checkbox and editing the query. The query can then be tested to be sure it matches the correct events and finally copied to the NXLog configuration.
Figure 3. A Custom View Querying the Application Channel for Events With ID 1008