Edge Delta Windows Event Source

Consume traffic from agents on Windows.

  2 minute read  

Overview

The Windows Event Source node captures logs directly from Windows Event Viewer channels such as Application, System, Security, etc. This is useful for ingesting native Windows OS logs into your pipeline. The agent pulls logs directly from the selected channel(s) on the local Windows machine.

  • outgoing_data_types: log

Example Configuration

In this example, the winevent_input node collects logs from the “Application” channel:

nodes:
  - name: winevent_input_a7a8
    type: winevent_input
    user_description: Windows Event Source
    channel: Application

This enables you to collect logs that are emitted by applications running on the system.

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: winevent_input

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

channel

The channel parameter specifies the Windows Event Viewer channel to collect logs from. It is a required string.

Common channels include:

  • Application
  • System
  • Security
nodes:
  - name: my_winevent_input
    type: winevent_input
    channel: "System"

If you’re unsure which channels to use, you can inspect them via Event Viewer (eventvwr.msc) on your Windows system.

source_metadata

The source_metadata parameter is used to define which detected resources and attributes to add to each data item as it is ingested by the Edge Delta agent. In the GUI you can select:

  • Required Only: This option includes the minimum required resources and attributes for Edge Delta to operate.
  • Default: This option includes the required resources and attributes plus those selected by Edge Delta
  • High: This option includes the required resources and attributes along with a larger selection of common optional fields.
  • Custom: With this option selected, you can choose which attributes and resources to include. The required fields are selected by default and can’t be unchecked.

Based on your selection in the GUI, the source_metadata YAML is populated as two dictionaries (resource_attributes and attributes) with Boolean values.

See Choose Data Item Metadata for more information on selecting metadata.