Understanding the Logs catalog:

The Logs catalog is a centralized list of Windows Event Log channels available for collection across your environment. Adding a log to the catalog does not automatically start collecting it — it simply makes it available for selection when configuring Event Log settings within a group.

Think of the catalog as the menu of available log sources. Group Event Log configuration is where you order from that menu for each specific group of machines.

Accessing the Logs section:

In the left navigation menu, click Logs.

The Logs page displays all currently defined log sources with their name, description, and log type.

Adding a log manually:

Use this method when you know the exact name of the Windows Event Log channel you want to add:

1. In the Log Name field, enter the exact log channel name:

Standard Windows Event Log names:

2. Optionally enter a Description to explain the purpose of the log source
3. Click Add Log

The log channel is added to the catalog and becomes available for selection in group Event Log configurations.

Browsing available Windows logs:

Use this method to discover log channels available on Windows systems without needing to know the exact name:

1. Select a log from the dropdown list of common Windows logs
2. Click Add

The selected log is added to the catalog.

Viewing log details:

Click the expand arrow () next to any log in the catalog to view:

• Description — the purpose of the log channel
• Log Type — Classic, Operational, Debug, or Analytic
• Common Event IDs — important Event IDs commonly found in this log channel

Editing a log entry:

To update the description of a log in the catalog:

1. Expand the log entry by clicking the expand arrow
2. Click Edit
3. Modify the description
4. Click Update

Only the description can be edited — the log channel name cannot be changed after the log is added. If the name needs to be corrected, delete the entry and add it again with the correct name.

Deleting a log from the catalog:

Deleting a log from the catalog removes it from the available list but does not affect existing group configurations that are already using it. Groups that have this log configured will continue to collect from it until the log is removed from those group configurations individually.

1. Click the ⋮ menu next to the log
2. Select Delete
3. Confirm the deletion

Common Windows Event Log channels to add:

The following log channels cover the most common security monitoring and compliance use cases and are recommended for addition to the catalog in most environments:

[Your administrator should add any additional log channels relevant to the specific server roles and compliance requirements in your environment.]

Best practices:

• Add all commonly used log channels to the catalog during initial setup so they are immediately available when configuring groups
• Use clear, consistent descriptions so other administrators understand the purpose of each log channel without needing to look it up
• Only add log channels that are relevant to your environment — keeping the catalog focused makes group configuration cleaner and easier to manage
• Note that some log channels such as Microsoft-Windows-Sysmon/Operational require additional software (Sysmon) to be installed on client machines before events will be generated
• Analytic and Debug log channels must be explicitly enabled on Windows machines before they generate events — confirm this is done before adding them to group configurations

[Your administrator should document which log channels are in the catalog and which groups they are assigned to, so the full scope of Windows Event Log collection is auditable.]

Additional documentation on this feature is incoming. The content below reflects what is currently known and will be expanded once further detail is available.

Understanding fields in EventLogCentral:

When creating audit policy conditions within a group, administrators select a Field to evaluate — such as EventID, TargetUserName, or LogonType. The Fields section allows additional fields beyond these defaults to be defined and made available for use in policy conditions.

This is particularly useful when:

• Monitoring for specific values in less common Windows Event Log properties
• Building precise suppression or forwarding rules based on event metadata not covered by the default field set
• Extending audit policy capabilities to cover custom or application-specific event fields

Accessing the Fields configuration:

[Your administrator should confirm the location of the Fields configuration within the EventLogCentral interface and add navigation steps here.]

Adding a custom field:

[Your administrator should provide the steps for adding a custom field, including the field name, data type, and any mapping configuration required. This section will be updated once further documentation is available.]

Using custom fields in audit policies:

Once a custom field has been added to the Fields catalog, it becomes available for selection in the Field dropdown when creating audit policy conditions within a group. Refer to the Audit Policies article for instructions on building policy conditions.

Additional information incoming.

[This article will be updated with full configuration steps, field type options, and examples once further documentation is provided by the administrator.]