With Atatus Log Monitoring, you can monitor specific Windows Event Logs.

Component Details
Required Agent Version 4.1.0 or later

Setup & Configuration

This module is included with the Atatus Infra agent by default, please follow the below steps to enable.

  1. Add the following lines in the file C:\ProgramData\Atatus\configs\atatus.yml.

    copy
    icon/buttons/copy 
    logs_enabled: true

  2. Copy the Windows event logs example configuration file.

    copy
    icon/buttons/copy 
    cd "C:\ProgramData\Atatus\configs\conf.d\win_event_log.d\"
Copy-Item win_event_log.yml.template win_event_log.yml

  3. Update the file C:\ProgramData\Atatus\configs\conf.d\win_event_log.d\win_event_log.yml.template with below configurations.

    copy
    icon/buttons/copy 
    # Event Logs section
event_logs:

  # - name: (mandatory) name of the Windows Event Log channel
  #   level: (optional) status type of the log (error / warn / information)
  #   event_id: (optional) filter only specific event IDs
  #   provider: (optional) filter logs by provider name
  #   include_xml: (optional) include raw XML payload. Default false
  #   ignore_missing_channel: (optional) ignore when channel doesn't exist
  #   xml_query: (optional) advanced filtering using XML XPath queries
  #   tags: (optional) custom tags for classification

  # -----------------------------------------------------
  # 1. Windows Application Log (default Windows log)
  # -----------------------------------------------------
  - name: Application

  # -----------------------------------------------------
  # 2. PowerShell Operational Log (tracks script execution)
  # -----------------------------------------------------
  - name: Microsoft-Windows-PowerShell/Operational

    # Capture only specific PowerShell event IDs
    event_id: [4103, 4104, 4105, 4106]

    # Optional provider filter
    provider: Microsoft-Windows-PowerShell

    # Disable XML payload unless needed
    include_xml: false

  # -----------------------------------------------------
  # 3. Windows System Log
  # -----------------------------------------------------
  - name: System
    ignore_missing_channel: true

  # -----------------------------------------------------
  # 4. Windows Security Log
  # -----------------------------------------------------
  - name: Security
    level: information
    ignore_missing_channel: true

  # -----------------------------------------------------
  # 5. Custom Event Channel with XML Query Example
  # -----------------------------------------------------
  - name: Custom-App/Debug
    service: custom_debug
    source: windows_eventlog

    xml_query: >
      <QueryList>
        <Query Id="1" Path="Custom-App/Debug">
          <Select>*[System/Level=2]</Select>
        </Query>
      </QueryList>

    # Override event level filtering
    level: error

    # Add custom tags
    tags:
      - custom
      - debug

  4. Restart the Atatus infrastructure agent.

    copy
    icon/buttons/copy 
    Restart-Service atatus-infra-agent