circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Configure Windows Eventlog Collection

Configure which Windows Event Channels, severity levels, and Event IDs AgentX collects from Windows endpoints.

hashtag
Prerequisites

  • Template created or selected for editing

  • Understanding of Windows Event Channels and Event IDs relevant to your monitoring requirements

hashtag
Procedure

  1. In the template configuration, locate Windows Eventlog Collection.

  2. Select Category to choose which Windows Event Channels to collect. To add a custom channel, select Add and enter the channel name.

  3. Select the severity Levels to collect. Levels indicate event severity or verbosity.

  4. In Event ID, enter specific Event IDs to collect. Leave empty to collect all events from the selected categories and levels.

  5. To filter Event IDs:

    • Include - Enter Event IDs to collect. Only these Event IDs will be collected from the selected channels and levels.

    • Exclude - Enter Event IDs to skip. All Event IDs except these will be collected from the selected channels and levels.

  6. Select Save to save the template configuration.

hashtag
Expected outcome

AgentX Client on Windows endpoints collects only the events that match the configured channels, levels, and Event ID filters.

hashtag
Verification

After assigning the template to a device and waiting for log collection to begin:

  1. Go to the Logpoint search interface.

  2. Run the following query:

Replace <your_channel> with one of your configured channels (e.g., "Security").

Verify that:

  • Events from configured channels appear

  • Event severity levels match your configuration

  • Only included Event IDs appear (if you specified includes)

  • Excluded Event IDs do not appear (if you specified excludes)

hashtag
Configuration guidelines

All conditions apply together Events must match the selected Channel, Level, AND Event ID filters (include/exclude) to be collected. This allows precise control but requires careful configuration.

Leave Event ID empty for comprehensive collection To collect all events from a channel at specified levels, leave both Include and Exclude empty. This is the default behavior.

Limit Event ID lists for performance Keep the total number of Event IDs below 220 for optimal performance. While you can include or exclude up to 400 Event IDs each (800 total), larger lists impact performance.

Use Exclude for broad collection with exceptions To collect most events but skip specific noisy Event IDs, leave Include empty and specify Event IDs in Exclude.

Use Include for focused collection To collect only specific high-value Event IDs, specify them in Include and leave Exclude empty.

Common Windows Event Channels:

  • Security - Authentication, authorization, and security audit events

  • System - System component events, driver loads, and service state changes

  • Application - Application-specific events

  • Microsoft-Windows-Sysmon/Operational - Sysmon events (if Sysmon is installed)

  • Microsoft-Windows-PowerShell/Operational - PowerShell execution events

Common Event ID examples:

  • 4624 - Successful logon

  • 4625 - Failed logon

  • 4688 - Process creation

  • 4720 - User account created

  • 7045 - Service installed

hashtag
Example configurations

Collect all Security events at all levels:

  • Category: Security

  • Levels: All selected

  • Include: (empty)

  • Exclude: (empty)

Collect only logon events (successful and failed):

  • Category: Security

  • Levels: All selected

  • Include: 4624,4625

  • Exclude: (empty)

Collect all Security events except verbose Audit Success:

  • Category: Security

  • Levels: Critical, Error, Warning, Information

  • Include: (empty)

  • Exclude: (empty)

hashtag
Next steps

Last updated

Was this helpful?