Return to

37. Microsoft Windows

NXLog can collect various types of system logs on the Windows platform. For deployment details, see the supported Windows platforms and Windows installation. Notes are also available about hardening and monitoring NXLog on Windows.

Custom Programs

The im_exec module allows log data to be collected from custom external programs.

DHCP Monitoring

DHCP logging can be set up for Windows DHCP Server, using the im_file module if reading DHCP audit logs directly from CSV files. Alternatively, the im_msvistalog module can be used to collect DHCP Server or Client event logs from the built in channels in Windows Event Log.

DNS Monitoring

DNS logging can be set up for Windows DNS Server, using either ETW tracing or debug logging.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity Monitoring on Windows.

Log Databases

Events can be read from databases with the im_odbc module. Some products write logs into SQL Server databases; see the Microsoft System Center Operations Manager section for example.

Log Files

The im_file module can be used to collect events from log files.

Microsoft Active Directory Domain Controller

Troubleshoot Active Directory domain controllers by integrating DCs as log sources.

Microsoft Exchange

Logs generated by Microsoft Exchange can be used as a source for log collection with many log types supported.

Microsoft IIS

IIS can be configured to write logs in W3C format, which can be read with im_file and parsed with xm_w3c or xm_csv. Other formats can be parsed with other methods; see Microsoft IIS.

Microsoft .NET applications

Capture logs directly from Microsoft .NET applications using third-party utilities.

Microsoft SharePoint

Collect the many different types of logs generated by Microsoft SharePoint, parse the ULS into another format and send.

Microsoft SQL Server

Log messages can be collected from the Microsoft SQL Server error log files with the im_file module. See Microsoft SQL Server.

Microsoft System Center Operations Manager (SCOM)

Logs recorded in Microsoft System Center Operations Manager databases can be collected with the im_odbc module.

Registry Monitoring

The Windows Registry can be monitored for changes; see the im_regmon module. For an example ruleset, see the regmon-rules add-on.


Windows EventLog data can be converted to Snare format if necessary for a third-party integration.


Many additional audit events can be generated with the Sysmon utility, including process creation, system driver loading, network connections, and modification of file creation timestamps. These events are written to the EventLog. See the Sysmon section for more information.

Windows Applocker

Collecting event logs from Windows AppLocker is supported by using the im_msvistalog or the other Windows Event Log modules.

Windows Event Tracing (ETW)

Events logged through ETW can be collected with the im_etw module. This includes events logged to the Analytical and Debug logs.

Windows EventLog

See the Windows Event Log section, which covers both local and remote event collection with the im_msvistalog, im_wseventing, im_mseventlog, and im_wmi modules.

Windows Firewall

Windows Firewall logs can be collected with the im_file module from the Advanced Security log. In addition, the im_msvistalog module can be used to collect Windows Firewall events from Windows Event Log.

Windows Management Instrumentation (WMI)

WMI event logs can be read directly from Windows Event Log by using the im_msvistalog module. In addition, WMI events can also be collected via ETW directly using the im_etw module. Reading WMI log files utilizing the im_file module is also supported.

Windows Performance Counters

The im_winperfcount module can be used for collecting data such as CPU and memory usage.

Windows Powershell

PowerShell scripts can be integrated for log processing tasks and configuration generation (for example, Azure SQL Database); see Using PowerShell Scripts. It is also possible to collect Powershell activity logs.