Collecting Windows events

Windows event logs are records of events that have occurred on a computer running on the Windows operating system. These records contain information regarding actions that have taken place on the installed applications, the computer, and the operating system itself. Windows event logs include actions taken by the users and by the processes running on the computer. These logs provide crucial context that helps in faster resolution.

The following Windows event logs are available and BMC Helix Log Analytics enables you to collect all of them:

• System: Logs regarding incidents on Windows-specific computers, such as outdated hardware drivers.
• Application: Logs regarding the installation of new software or hardware or currently running software.
• Security: Logs regarding Windows operating system audit policies, login attempts, and resource access.

The following image shows how Windows event logs are collected:

The following video (2:14) provides you with an overview of monitoring Windows events in BMC Helix Log Analytics.

Watch the YouTube video about overview of monitoring Windows events in BMC Helix Log Analytics.

Before you begin

• Make sure that you have downloaded and installed a connector. For more information, see Installing-and-managing-the-Windows-connector.
• Create a filtering rule. For more information, see Creating-a-filtering-rule.
• Create a parsing rule. For more information, see Creating a parsing rule.
  If you plan to filter logs before they are parsed, add a pre-filtering rule in addition to a filtering rule. Pre-filtering rules limit the number of logs that are parsed.
  

To collect Windows events

In BMC Helix Log Analytics, use the Collection > Collection Policies > Create button and perform the following steps:

1. Add the policy information by performing the following steps:
   1. Enter a unique name and description.
   2. From the Collection Type list, select Windows Events.
2. In the Connector configurations section, perform the following steps:
   1. From the Connector Type list, select Windows Connector.

   2. In Connector Selection Criteria, create the connector selection criteria to identify connectors for collection.
      When you click in the box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 
      The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.
      The connector fields available to create the selection criteria are status, name, version, host_name, ip, and tags. 

      Important

      The values that you enter for a field in the selection criteria are case-sensitive. For example, if the host name is WebServer.example.com, add the selection criteria as ( host_name Equals WebServer.example.com ). If you enter, ( host_name Equals webserver.example.com ), the connector is not selected. To add case-insensitive values, use the Equals ignore case operator.

3. In the Configuration section, perform the following steps:
   1. Click Configure.
   2. In the Customize Logs Data panel, select the channel from where you want to collect events.
   3. If you select the Default option, Windows events are collected from the following channels:
      1. Application
      2. Security
      3. Setup

      4. System

         Important

         Do not create duplicate collection policies for the connectors with the same channel.

   4. In the Collection Interval field, enter how frequently (in seconds) you want to collect Windows events.
   5. Select the Collect Existing Events check box to collect the existing events.
   6. In the Tags field, enter the tags to identify the policy with the collected logs.
      The values that you enter in this field are added to the bmc_tags field that is present in the collected logs. You can use the field or tags to search and analyze logs.
   7. In Fields, enter the custom information that you want to add to collected logs in the form of key-value pairs.
      Use these fields to search and analyze the logs in Explorer. For example, Key: applicationContext; Value: Windows. Use applicationContext:Windows as a search string to search and analyze the collected logs.
4. (Optional) In the Pre-filtering Rule section, select a filtering rule to help you remove unwanted log messages before parsing logs.
   If you don't filter the log data before parsing, all log data is processed for parsing.
   If you have not created a filtering rule, perform one of the following actions:
   • Go to Collection > Filtering Rules and click Create. For more information, see Creating a filtering rule.

   • In the Pre-filtering Rule section, click Create New and complete the configuration. For information about the configuration settings, see Creating a filtering rule.

     Click here to view an example that explains the benefits of a pre-filtering rule

     Sarah is a tenant administrator at Apex Global, which uses BMC Helix Log Analytics for collecting and analyzing logs. Apex Global parses all messages generated for Windows Events type logs. The system performance is affected by the amount of logs generated. Apex Global wants to enhance system performance for Windows Events type logs. How can they achieve this?

     They can pre-filter Windows Events type logs before the logs are parsed. This feature ensures that only the required messages are parsed and filtered further, resulting in enhanced system performance.

5. (Optional) In the Log Parsing section, from the Parsing Rule 1 list, select a parsing rule.
   With a parsing rule, the BMC Helix Log Analytics connector can convert raw log data into key-value pairs for searching and analyzing logs efficiently. Raw log data is not parsed if you don't select a parsing rule.
   If you have not created a parsing rule, perform one of the following actions:
   • Go to Collection > Parsing Rules and click Create. For more information, see Creating a parsing rule.
   • In the Log Parsing section, click Create New against a parsing rule and complete the configuration. For information about the configuration settings, see Creating a parsing rule.
6. From the Filtering Rule list, select the filtering rule that you have created.
   If you have not created a filtering rule, see Creating-a-filtering-rule for instructions.
7. From the User group list, select one or more user groups to assign to the collection policy. 
   Users associated with this user group can see the data collected by this collection policy.
8. Enable and save the policy by performing the following steps:
   1. To start collecting logs, select the Enable Collection Policy check box.
      You can choose to enable the collection policy later.
   2. Click Save.
      The created policy is shown on the Collection Policies page. Use the Actions menu to edit, enable (or disable), and delete the policy.

To verify the Windows events collection

To verify whether the log collection has started, select Explorer > Discover. Use the key:value pair present in the events, tags, or time range to view the collected Windows events. For example, search the logs by using the tag that you added to the events.

To view the out-of-the-box Windows events dashboard in BMC Helix Dashboards

1. Click the Dashboards menu.
2. Select Manage Dashboards.
   The Log Analytics folder is displayed.
3. Click the Windows Events dashboard.

Learn more

Read the following blog to learn how Windows event logs help you improve business performance: Analyse Windows Event Logs to improve business performance.

Where to go from here

Configuring-logs

Deriving-insights-from-logs

Generating-alerts-from-logs