This module can be used to collect EventLog messages from Microsoft Windows platforms supporting Windows Management Instrumentation (WMI) mode. The module will poll events from all available event sources. The advantage of this module over im_mseventlog is that NXLog does not need to be installed on the machine wishing to pull logs from (it can work in agent-less mode). Note that WMI can consume a lot more system resources on the remote Windows server than using im_mseventlog. For the list of EventLog fields see this MSDN page and the fields provided by im_wmi.
|The im_wmi module is currently only available on non-Windows platforms.|
This mandatory directive specifies the IP address or a DNS hostname the module should connect to.
This mandatory directive specifies the password used for authenticating to the remote host.
This mandatory directive specifies the username used for authenticating to the remote host.
This specifies the domain used for authenticating to the remote host. The default value is
This specifies the namespace used for authenticating to the remote host. The default is
This directive specifies how frequently the module will check for new events, in seconds. If this directive is not specified it defaults to 5 seconds. Fractional seconds may be specified (
PollInterval 0.5will check twice every second).
This optional boolean directive instructs the module to only read logs which arrived after NXLog was started if the saved position could not be read (for example on first start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If ReadFromLast is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages, and is usually not the expected behavior. If this directive is not specified, it defaults to TRUE.
This boolean directive specifies that the last record number should be saved when NXLog exits. The last record number will be read from the cache file upon startup. The default is TRUE: the record number is saved if this directive is not specified. Even if SavePos is enabled, it can be explicitly turned off with the global NoCache directive.
The following fields are used by im_wmi.
The username associated with the event.
The category name (CategoryString).
The category number (Category).
The event code (EventCode).
The event ID (EventIdentifier). Note that only the EventID/SourceName pair is unique, an event ID can refer to a different event in another source.
The TimeGenerated field of the EventRecord.
The TimeWritten field of the EventRecord.
The type of the event, which is a string describing the severity (EventType). Possible values are:
The logfile source of the event (for example,
The ComputerName field of the EventRecord (ComputerName).
The message of the event (Message).
The record number of the event (RecordNumber).
The severity number of the event.
The event source which produced the event (SourceName).
This configuration uses WMI to collect Windows EventLog from the
specified Windows system. The File directive
uses an expression to specify a different output file for each user
(according to the