Skip to Content

Improving visibility into critical Windows security and system events

Filter and parse Windows event logs to reduce log noise and speed up issue identification with BMC Helix Log Analytics and achieve the following goals for your Windows environment:

  • Improved operational efficiency by ingesting only actionable Windows event logs
  • Faster root cause analysis through structured, searchable event data

Customer success: Apex Global improves operational visibility into Windows environments

Apex Global used filtering and parsing rules in its Windows event logs collection policy. This helped them collect and refine Windows event logs. As a result, they improved visibility into their Windows environment. The operations and security teams can now focus on actionable events by performing targeted searches more effectively. This leads to faster response to system and security issues.

Scenario

Information

Example: Reducing Windows event log noise while preserving security and system-critical data

Apex Global collects Windows system and security event logs from multiple production servers. With the high volume of information events generated, the operations teams struggle to identify critical security incidents and system errors in a timely manner.

By using pre‑filtering, parsing, and filtering rules in BMC Helix Log Analytics, the Apex Global achieves the following goals:

  • Reduced unnecessary log ingestion.
  • Gets structured Windows event data, and focuses analysis only on security failures and system errors.

Workflow for filtering and parsing Windows event logs

Window_use_case_workflow.jpg

Task 1: Downloading and installing the Windows connector

Install the Windows connector to collect data from the Windows-based application log files, Windows Events, and Amazon Web Services.

Before you begin

Before you start downloading and installing the Windows connector, make sure to perform the following actions:

  • Download and install the connector on a Windows Server Standard Edition with version 2012 or later.
  • Have the privileges to execute a batch file and install an application as a service.
  • Port 24444 is available on the Windows server from which logs will be collected.
  • Have the Visual Studio C++ Redistributable package installed in your environment.

To download and install a connector

  1. Log in to BMC Helix Log Analytics.
  2. From the Collection menu, select Connectors.
  3. On the Connectors page, click Create.
  4. In the Connector Name field, enter a unique connector name.
  5. From the Select Connector Type list, select Windows Connector.
  6. In the Description field, enter the connector description.
  7. In the Download Connector step, click Download.
    The connector is downloaded in the tdc-connector-windows-<build_number>.zip file.
  8. In the Tags step, add tags as key-value pairs to identify the connector.
    For example:
    name-windows
    location-Pune
  9. Click + to add the tag.
    Even if you add only one tag, make sure that you click +.
  10. In the Download Install Script step, click Download.
    The format of the .bat file name is install-connector-<connector name>.bat.
    For example, if you entered the connector name as my-bmc, the file name is install-connector-my-bmc.bat
  11. On the Windows server from which logs will be collected, create a new folder and copy the downloaded .zip and .bat files into it.
    Make sure that there are no spaces in the folder names or in the entire path that you provide.
  12. Extract the .zip file by using the Extract here option.
    You can see the BMC-DevTools folder. Make sure that the BMC-DevTools folder and the .bat file are at the same level in the folder hierarchy.
  13. Open the command prompt with administrator privileges.
  14. Run the .bat file.
    You can see the computer name with a Fully Qualified Domain Name (FQDN).
  15. Perform one of the following options to complete the connector installation:
    1. If you do not want to modify the computer name with FQDN, enter N.
    2. If you want to change the computer name with FQDN, enter Y and perform the following actions:
      1. Enter the computer name with the FQDN.
        For example, xyz.bmc.com.
      2. Enter Y to confirm the computer name.

The Windows connector is installed and starts as a Windows service. Access the connector logs at the following location:
<Folder where the zip file is extracted>\BMC-DevTools\opt\fluent\fluentd.log.

Tip: If you have a proxy configured in your environment and want to communicate with the connector through it, see Communicate with the connector through a proxy.

Task 2: Creating a log pre-filtering rule

Configure a pre-filtering rule to achieve one of the following goals:

  • Filter and skip unwanted logs during ingestion.
  • Ingest only important logs to BMC Log Analytics.

For this use case, let's create a pre-filtering rule to exclude all Information-type logs at the log source, so the logs are not ingested into BMC Helix Log Analytics.

To create a pre-filtering rule

  1. Click the Collection menu and select Filtering Rules.
  2. On the Filtering Rules page, click Create.
    Window_use_case_pre-filtering_rule.jpg
  3. In the Rule Information section, perform the following actions:
    1. Enter Windows_Events_pre-filtering_rule  as the name for the rule.
    2. In the Collection Type field, select Windows Events.
  4. In the Rule Configuration section, perform the following actions:
    1. From the Log Filter list, select Grep.
    2. From the Directive list, select Exclude.
    3. In the Key field, enter Level as the key.
    4. In the Pattern field, enter Information.
  5. Click Save.

Task 3: Creating a log parsing rule

A parsing rule converts raw log data into key-value pairs, making it convenient for BMC Helix Log Analytics to search, query, and analyze logs. Log records are generated as single-line or multiline texts. Use the parsing rule to further extract the specific fields from the logs and break them into meaningful multiple fields that can be used to derive insights for the 

For the use case, let's create a parsing rule to perform field extraction on the Description field data by specifying a regex parser. This rule extracts content into new fields, such as security_id, account_domain, and account_name, as defined by the parsing rule's regex.

Click to view the details in the Description field

An account was successfully logged on.

Subject:
    Security ID:        S-1-qw-rw
    Account Name:        CLM-VM123
    Account Domain:        WORKGROUP
    Logon ID:        0x3123

Logon Information:
    Logon Type:        5
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        Yes

Impersonation Level:        Impersonation
....
......

To create a log parsing rule

  1. Click the Collection menu and select Parsing Rules.
  2. On the Parsing Rules page, click Create.
    Window_use_case_parsing_rule.jpg
  3. In the Rule Information section, perform the following steps:
    1. Enter Windows_Events_parsing_rule  as the name for the rule.
    2. From the Collection Type list, select Windows Events.
  4. In the Rule Configuration section, in the Format field, select Field Extraction.
  5. In Log Field, specify the description to extract the data from the log description.
  6. In Regular Expression, specify the fields to be extracted.
    The expression must be compliant with the Ruby syntax with values specified within slashes.
  7. Click Save.

Task 4: Configuring a Windows event logs collection policy

Windows event logs include actions taken by users and processes running on the computer. These logs provide crucial context that helps in faster issue resolution.

To collect Windows events

  1. Click the Collection menu and select Collection Policies.
  2. Click Create.

  3. Enter a unique name and description for the policy to be created.

    Click to view the sample configuration of Windows Event Logs collection policy

    Window_use_case_policy_configuration.jpg

  4. From the Collection Type list, select Windows Events.
  5. In the Connector configurations section, perform the following steps:
    1. From the Connector Type list, select Windows Connector.
    2. In Connector Selection Criteria, create the connector selection criteria to identify connectors for collection.
      The following fields are available to create the selection criteria:
      • Status
      • Name
      • Version
      • Host_name
      • ip
      • Tags
  6. In the Configuration section, perform the following steps:
    1. Click Configure.
      Window_use_case_policy_detail_1.jpg
    2. In the Customize Logs Data panel, select the Default option.
      This collects Windows events from the following channels:
      • Application
      • Security
      • Setup
      • System
    3. In the Collection Interval field, enter 120 to collect logs every 2 minutes.
    4. Select the Collect Existing Events check box to collect the existing events.
    5. Click Save.
  7. In the Configuration section, add the appropriate Tags.
  8. In Pre-filtering Rule, select Windows_Events_pre-filtering_rule from the list.
  9. In Log Parsing, select Windows_Events_parsing_rule from the list.
  10. In User Group, select Administrators and Operator from the list.
  11. Click Enable Collection Policy.
  12. Click Save.

Results

  1. The pre-filtering rule excludes Information-type event logs from being ingested to BMC Helix Log Analytics. This reduces the log volume.

    Sample Information-type event logs that are dropped
    {
      "_index": "log-00_r3_v1-001607",
      "_id": "_cerup0BZ4QLwlpQ_jTt",
      "_version": 1,
      "_score": null,
      "_source": {
        "bmc_user_groups": [
          ""
        ],
        "EventData": "System entered into start state ",
        "bmc_tags": "wineventdemo",
        "bmc_integration_name": "winevent-dc37dfcc",
        "bmc_integration_id": "412f498e-4351-4a3e-9075-f4af60850128",
        "bmc_connector_name": "WinCon-clm-win-12543",
        "bmc_connector_id": "dc37dfcc-9899-48e7-852a-cedb490b5b40",
        "bmc_policy_name": "winevent",
        "log_source_host": "clm-win-12543",
        "@@timestamp": "@ Thu Apr 23 14:08:47 GMT 2026",
        "@timestamp": "2026-04-23T14:08:47.098Z",
        "ProviderName": "Edge",
        "ProviderGUID": "",
        "EventID": "1001",
        "Qualifiers": "0",
        "Level": "Information",
        "Task": "1",
        "Opcode": "",
        "Keywords": "0x80000000000000",
        "TimeCreated": "2026-04-23T14:08:04.568166900Z",
        "EventRecordID": "50167",
        "ActivityID": "",
        "RelatedActivityID": "",
        "ProcessID": "",
        "ThreadID": "",
        "Channel": "Application",
        "Computer": "clm-win-12543",
        "UserID": "",
        "Version": "",
        "Description": "The message resource is present but the message was not found in the message table.\r\nr Name='Microsoft-Windows-Security-Auditing'"
      },
      "fields": {
        "@timestamp": [
          "2026-04-23T14:08:47.098Z"
        ]
      }
    }

  2. The parsing rule extracts information from the Description field. It displays this information in organized and searchable fields in the Explorer tab of BMC Helix Log Analytics. This setup makes it easier for operators to analyze the data.

    Sample parsed logs

    After the parsing rule is applied to the Windows event logs, the parsed logs are displayed as shown in the following filename
    Window_use_case_parsing_rule_result1.jpg
    Window_use_case_parsing_rule_result2.jpg

  3. Security teams can quickly identify failed login attempts and audit-related events.
  4. Operations teams focus on system errors that affect service stability.

Related topics

Installing and managing the Windows connector

Creating a filtering rule

Creating a parsing rule

Collecting Windows events

Troubleshooting filtering and parsing logs

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Log Analytics 26.2