# Monitoring Windows Event Logs

Event logs are used to monitor the windows servers in your network. The logs help you monitor the program, security, and system events occurring in Windows devices. For example, you can identify performance issues like a process failure or security events like unauthorized login requests.

- [Monitoring Windows Events in a Device](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#winevents_api)
- [Creating an Event Log Monitor](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#logmonitor_api)
- [Monitoring Custom Event Logs](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#customlogmonitor_api)
- [Configure event log monitoring for multiple devices](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#event-log-monitor-bulk)
- [Automate event log monitor association during discovery](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#automate-event-logs)
- [Receive notifications on events](https://www.manageengine.com/network-monitoring/help/monitor-windows-eventlogs.html#event-log-notifications)

## How to monitor event logs in a device

In Windows machine, there is a default event viewer that helps you to view the events in that machine. But, manually checking the events through this method is not feasible if you want to monitor an enterprise network. OpManager supports event log monitoring and helps you easily identify critical events with the help of alerts.

**Prerequisite**: OpManager uses WMI to fetch the details of these logs from a window device.

So please ensure to provide the user login credentials with administrative privileges to access the end device. (If you are a non-admin user ([visit this KB article](https://pitstop.manageengine.com/portal/en/kb/articles/how-to-configure-a-non-admin-user-for-wmi-monitoring)) to know more). To monitor Windows events, you need to associate the event log monitors with the device.

Once you have ensured you have the necessary permissions, follow the steps given below:

- Navigate to **Inventory -> Devices** and then click on a device.
- Click **Monitors -> EventLog Monitors -> Add Monitor**.
- Select the event logs to be monitored in the device.
- Click **Associate** to add the selected monitors to the device.

![Monitoring windows event logs in OpManager: Event log monitors list](https://www.manageengine.com/network-monitoring/help/images/Event-log-for-individual-device.JPG)

**Note**: The **Monitoring Interval** checkbox must be enabled. If disabled, all the event log monitors associated with the device will be disabled and they will not work although they are associated to the device.

## Creating an Event Log Monitor

To create an event log monitor, follow the steps given below:

1. Go to **Settings > Monitoring > Event Log Rules**  
   In this page, you can see the default rules supported by OpManager. They are categorized into Applications, Security, System, DNS Server, File Replication Service, and Directory Service.

   ![Monitoring windows event logs in OpManager: Add new rule](https://www.manageengine.com/network-monitoring/help/images/Event-log-montior.JPG)

2. To add a new rule click on **Add**.  
   **Note**: Entries to all the fields except Rule Name are optional. The details you input in the fields are required to filter the event. For example, when you mention the source and event ID, all events with the given ID from the mentioned source will be monitored. In another instance, if you mention only the category such as error, all events with error category will be monitored.

   - Select the Log File Name.
   - Type a unique **Rule Name**.
   - Enter the **Event ID** to be monitored. This is the unique identifier for the event logs.
   - Enter the event **Source**. This is the source that logs the event, it can be an application or a sub component of an application. For example: DesktopCentral, Microsoft Windows security.
   - Enter the event **Category**. Each event source defines its own categories such as data write error, data read error and so on and will fall under one of these categories.
   - Type the **User** name to filter the event log based on the user who has logged on when the event occurred.
   - Choose the **Event Types** to filter the event logs based on its type. This will typically be one among Error, Warning, Information, Security audit success and Security audit failure.

     ![Monitoring windows event logs in OpManager: Add new rules - event types](https://www.manageengine.com/network-monitoring/help/images/Event-log-montior.JPG)

   - **Description Match Text**: Enter the string to be compared with the log message. This will filter the events that contains this string in the log message.

     You can also use **Regular Expressions (RegEx)** to specify the match criteria for this field. For example, consider an Eventlog description that reads "Check whether any firewall is blocking". Below are some examples of how you can form RegEx patterns for this message:

     | Condition | Logic used | RegEx pattern | Actual RegEx |
     |---|---|---|---|
     | Contains both "Check" and "any" | AND | (?=.*XXX)(?=.*YYY) | (?=.*Check)(?=.*any) |
     | Contains either "blocking" or "firewall" | OR | (XXX)\|(YYY) | (blocking)\|(firewall) |
     | Not contains "firewall" | NOT | ^(?!.*XXX).*$ | ^(?!.*firewall).*$ |

   - **Generate Alarm if event is raised**: By default OpManager raises an alarm if the event occurs. However, you can configure the number of consecutive times the event can occur within the specified number of seconds to raise an alarm.
   - Choose a **severity** for the alarm generated in OpManager for this event. For example, for security events you can assign the severity as critical. The severity levels available are Critical, Trouble, Attention, Clear and Ignore event. (**The ignore event option is used to avoid raising an alert for an event**)

3. Click **OK** to save the event log rule.

The details such as **Source, Category** and **Event ID** will be available in the event viewer on your server.

![Monitoring windows event logs in OpManager: Event viewer example](https://www.manageengine.com/network-monitoring/help/images/Event-viewer.JPG)

The above image shows an example of a security event. From the event viewer you can take the necessary details, specify them in OpManager and monitor the event.

## Monitoring custom event logs

You can monitor event logs under a custom category too. Some applications log the events in a new category other than the default System/Applications/Security category. You can now configure rules in OpManager to parse the events in such custom categories and trigger corresponding alerts in OpManager. Here are the steps:

1. Go to **Settings > Monitoring > Event Log Rules**
2. Click **Add Custom Event log**
3. Select a device from the drop-down on which you can query for the event categories.
4. Provide the WMI details **User Name** and **Password** of the device.
5. **List logs that were created in last**: Configure the time to list the logs and click **Query Device**
6. The custom logs in the selected device are listed. Select a log from **Discovered Log Files** and click **OK**

![Monitoring windows event logs in OpManager: Custom event log monitoring](https://www.manageengine.com/network-monitoring/help/images/Custom-event-log-monitor.JPG)

## How to configure event log monitors for multiple devices in bulk

Associating event log monitors to multiple devices is made simple in OpManager with the **Quick Configuration Wizard** option.

- Navigate to **Settings > Configuration > Quick Configuration Wizard**.
- Click on **Event log rules**.
- Select the log file (e.g., Application, Security). Choose the event you want to monitor under the Rule drop down menu and associate the rule.
- Select the devices from the *All Devices* column, push to the *Selected Devices* column.
- Click on **Save**. The monitors will be associated to all the selected devices in your network.

![Monitoring windows event logs in OpManager: Quick configuration wizard for event logs](https://www.manageengine.com/network-monitoring/help/images/QCQ.JPG)

## Automate event log rule association to devices

Applying event log rules to multiple devices is easier using the QCW. However, if you discover new devices frequently for monitoring, then adding event log monitor to new devices would be a cumbersome task.

You can automate the process of event log rule association using the [Discovery rule engine](https://www.google.com/search?q=discovery+rule+engine+opmanabe&rlz=1C1CHBD_enIN988IN988&oq=discovery+rule+engine+opmanabe&aqs=chrome..69i57j33i10i160l3j33i21.7498j0j7&sourceid=chrome&ie=UTF-8). Using this option you can create your own rule to associate event log rules to specific devices like Windows servers.

The event log rule will be applied to Windows servers whenever they are discovered in OpManager.

![Monitoring windows event logs in OpManager: Automate event log rule association to devices](https://www.manageengine.com/network-monitoring/help/images/discovery-rule-engine.JPG)

## Receive instant notifications on critical events

You can configure to receive notifications for important windows events through various channels such as SMS/email using the Notification Profile feature. While [selecting the criteria to receive notifications](https://www.manageengine.com/network-monitoring/help/configuring-notifications.html#criteria-notifications), select the Event Log rule generate alarms box to raise events related alarms using various channels.