The Logs section of EventLogCentral defines the catalog of available Windows Event Log sources that can be assigned to groups for collection. This catalog acts as a library of log channels โ before a log channel can be selected in a group’s Event Log configuration, it must first be added to the catalog here.
Understanding the Logs catalog:
The Logs catalog is a centralized list of Windows Event Log channels available for collection across your environment. Adding a log to the catalog does not automatically start collecting it โ it simply makes it available for selection when configuring Event Log settings within a group.
Think of the catalog as the menu of available log sources. Group Event Log configuration is where you order from that menu for each specific group of machines.
Accessing the Logs section:
In the left navigation menu, click Logs.
The Logs page displays all currently defined log sources with their name, description, and log type.
Adding a log manually:
Use this method when you know the exact name of the Windows Event Log channel you want to add:
- In the Log Name field, enter the exact log channel name:
Standard Windows Event Log names:
| Log Name | Description |
| Security | Security audit events |
| System | Windows system events |
| Application | Application events |
| Microsoft-Windows-PowerShell/Operational | PowerShell script execution events |
| Microsoft-Windows-Sysmon/Operational | Sysmon advanced threat detection events |
| Microsoft-Windows-TaskScheduler/Operational | Scheduled task execution and modification events |
- Optionally enter a Description to explain the purpose of the log source
- Click Add Log
The log channel is added to the catalog and becomes available for selection in group Event Log configurations.
Browsing available Windows logs:
Use this method to discover log channels available on Windows systems without needing to know the exact name:
- Select a log from the dropdown list of common Windows logs
- Click Add
The selected log is added to the catalog.
Viewing log details:
Click the expand arrow (โถ) next to any log in the catalog to view:
- Description โ the purpose of the log channel
- Log Type โ Classic, Operational, Debug, or Analytic
- Common Event IDs โ important Event IDs commonly found in this log channel
Editing a log entry:
To update the description of a log in the catalog:
- Expand the log entry by clicking the expand arrow
- Click Edit
- Modify the description
- Click Update
Only the description can be edited โ the log channel name cannot be changed after the log is added. If the name needs to be corrected, delete the entry and add it again with the correct name.
Deleting a log from the catalog:
Deleting a log from the catalog removes it from the available list but does not affect existing group configurations that are already using it. Groups that have this log configured will continue to collect from it until the log is removed from those group configurations individually.
- Click the โฎ menu next to the log
- Select Delete
- Confirm the deletion
Common Windows Event Log channels to add:
The following log channels cover the most common security monitoring and compliance use cases and are recommended for addition to the catalog in most environments:
| Log Name | Type | Use Case |
| Security | Classic | Authentication, privilege use, account management, object access |
| System | Classic | Service changes, system errors, hardware events |
| Application | Classic | Application crashes, warnings, and informational messages |
| Microsoft-Windows-PowerShell/Operational | Operational | PowerShell script execution tracking |
| Microsoft-Windows-Sysmon/Operational | Operational | Advanced threat detection (requires Sysmon installed) |
| Microsoft-Windows-TaskScheduler/Operational | Operational | Scheduled task execution and modification |
| Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | Operational | Remote Desktop session events |
| Microsoft-Windows-DNS-Server/Analytical | Analytical | DNS query logging (requires DNS Server role) |
[Your administrator should add any additional log channels relevant to the specific server roles and compliance requirements in your environment.]
Best practices:
- Add all commonly used log channels to the catalog during initial setup so they are immediately available when configuring groups
- Use clear, consistent descriptions so other administrators understand the purpose of each log channel without needing to look it up
- Only add log channels that are relevant to your environment โ keeping the catalog focused makes group configuration cleaner and easier to manage
- Note that some log channels such as Microsoft-Windows-Sysmon/Operational require additional software (Sysmon) to be installed on client machines before events will be generated
- Analytic and Debug log channels must be explicitly enabled on Windows machines before they generate events โ confirm this is done before adding them to group configurations
[Your administrator should document which log channels are in the catalog and which groups they are assigned to, so the full scope of Windows Event Log collection is auditable.]