Return to

109.35. Windows Management Instrumentation (im_wmi)

This module can be used to collect EventLog messages from Microsoft Windows platforms supporting Windows Management Instrumentation (WMI) mode. The module will poll events from all available event sources. The advantage of this module over im_mseventlog is that NXLog does not need to be installed on the machine wishing to pull logs from (it can work in agent-less mode). Note that WMI can consume a lot more system resources on the remote Windows server than using im_mseventlog. For the list of EventLog fields see this MSDN page and the fields provided by im_wmi.

The im_wmi module is currently only available on non-Windows platforms.

109.35.1. Configuration

The im_wmi module accepts the following directives in addition to the common module directives. The Host, Password, and Username directives are required.


This mandatory directive specifies the IP address or a DNS hostname the module should connect to.


This mandatory directive specifies the password used for authenticating to the remote host.


This mandatory directive specifies the username used for authenticating to the remote host.


This specifies the domain used for authenticating to the remote host. The default value is WORKGROUP.


This specifies the namespace used for authenticating to the remote host. The default is root\cimv2.


This directive specifies how frequently the module will check for new events, in seconds. If this directive is not specified it defaults to 5 seconds. Fractional seconds may be specified (PollInterval 0.5 will check twice every second).


This optional boolean directive instructs the module to only read logs which arrived after NXLog was started if the saved position could not be read (for example on first start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If ReadFromLast is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages, and is usually not the expected behavior. If this directive is not specified, it defaults to TRUE.


This boolean directive specifies that the last record number should be saved when NXLog exits. The last record number will be read from the cache file upon startup. The default is TRUE: the record number is saved if this directive is not specified. Even if SavePos is enabled, it can be explicitly turned off with the global NoCache directive.

109.35.2. Fields

The following fields are used by im_wmi.

$raw_event (type: string)

A string containing the $EventTime, $Hostname, $EventType, $EventID, $AccountName, and $Message from the event.

$AccountName (type: string)

The username associated with the event.

$Category (type: string)

The category name (CategoryString).

$CategoryNumber (type: integer)

The category number (Category).

$EventCode (type: integer)

The event code (EventCode).

$EventID (type: integer)

The event ID (EventIdentifier). Note that only the EventID/SourceName pair is unique, an event ID can refer to a different event in another source.

$EventTime (type: datetime)

The TimeGenerated field of the EventRecord.

$EventTimeWritten (type: datetime)

The TimeWritten field of the EventRecord.

$EventType (type: string)

The type of the event, which is a string describing the severity (EventType). Possible values are: ERROR, AUDIT_FAILURE, AUDIT_SUCCESS, INFO, WARNING, and UNKNOWN.

$FileName (type: string)

The logfile source of the event (for example, Security or Application).

$Hostname (type: string)

The ComputerName field of the EventRecord (ComputerName).

$Message (type: string)

The message of the event (Message).

$RecordNumber (type: integer)

The record number of the event (RecordNumber).

$SeverityValue (type: integer)

The severity number of the event.

$SourceName (type: string)

The event source which produced the event (SourceName).

109.35.3. Examples

Example 574. Storing Logs From a Remote Windows System in Per-User Files

This configuration uses WMI to collect Windows EventLog from the specified Windows system. The File directive uses an expression to specify a different output file for each user (according to the $AccountName field).

nxlog.conf [Download file]
<Input wmi>
    Module      im_wmi
    Username    Administrator
    Password    secret
    Domain      WORKGROUP

<Output file>
    Module      om_file
    File        "/var/log/windows/" + $AccountName + ".log"

<Route wmi_to_file>
    Path        wmi => file