This module can be used to collect EventLog messages on Microsoft
Windows platforms. The module looks up the available EventLog sources
stored under the registry key
SYSTEM\CurrentControlSet\Services\Eventlog and polls logs from
each of these sources or only the sources defined with the
Windows Vista, Windows 2008, and later use a new EventLog API which is
not backward compatible. Messages in some events produced by sources
in this new format cannot be resolved with the old API which is used
by this module. If such an event is encountered, a
Though the majority of event messages can be read with this module even on Windows 2008/Vista and later, it is recommended to use the im_msvistalog module instead.
Strings are stored in DLL and executable files and need to be read by the module when reading EventLog messages. If a program (DLL/EXE) is already uninstalled and is not available for looking up a string, the following message will appear instead:
The description for EventID XXXX from source SOURCE cannot be found.
The im_mseventlog module accepts the following directives in addition to the common module directives.
This optional boolean directive instructs the module to only read logs which arrived after NXLog was started if the saved position could not be read (for example on first start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If ReadFromLast is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages, and is usually not the expected behavior. If this directive is not specified, it defaults to TRUE.
This boolean directive specifies that the file position should be saved when NXLog exits. The file position will be read from the cache file upon startup. The default is TRUE: the file position will be saved if this directive is not specified. Even if SavePos is enabled, it can be explicitly turned off with the global NoCache directive.
This optional directive takes a comma-separated list of EventLog filenames, such as
Security, Application, to select specific EventLog sources for reading. If this directive is not specified, then all available EventLog sources are read (as listed in the registry). This directive should not be confused with the $SourceName fielded contained within the EventLog and it is not a list of such names. The value of this is stored in the FileName field.
If this optional boolean directive is set to TRUE, all strings will be converted to UTF-8 encoding. Internally this calls the convert_fields procedure. The xm_charconv module must be loaded for the character set conversion to work. The default is TRUE, but conversion will only occur if the xm_charconv module is loaded, otherwise strings will be in the local codepage.
The following fields are used by im_mseventlog.
The username associated with the event.
The type of the account. Possible values are:
Well Known Group,
The category name resolved from CategoryNumber.
The category number, stored as Category in the EventRecord.
The domain name of the user.
The event ID of the EventRecord.
The TimeGenerated field of the EventRecord.
The TimeWritten field of the EventRecord.
The type of the event, which is a string describing the severity. Possible values are:
The logfile source of the event (for example,
The host or computer name field of the EventRecord.
The message from the event.
The number of the event record.
The normalized severity number of the event, mapped as follows.
Event Log Severity Normalized Severity
The event source which produced the event (the subsystem or application name).
This configuration collects Windows EventLog and forwards the messages to a remote host via TCP.