The Event Logs configuration within a group defines which Windows Event Log channels the EventLogAgent clients in that group collect and forward. Each group can be configured to collect from different log channels with specific Event ID inclusion and exclusion rules, allowing you to tailor collection precisely to the needs of each group of machines.
Understanding group-based Event Log configuration:
Event Log settings are configured at the group level โ meaning all clients assigned to a group share the same Event Log collection settings. This makes it straightforward to apply consistent collection policies across machines that serve the same role, such as all Domain Controllers or all SQL Servers, while using different settings for other groups.
Accessing Event Log configuration for a group:
- In the left navigation menu, click Groups
- Locate the group you want to configure
- Click the โฎ menu next to the group
- Select Event Logs
Adding a Windows Event Log to a group:
- From the Event Logs configuration screen, click Add Event Log
- Select a log from the available list or enter the log name manually:
Common Windows Event Logs:
| Log Name | Description | Common Use Cases |
| Security | Security audit events | Logons, privilege use, object access, account changes |
| System | Windows system events | Service changes, system errors, hardware events |
| Application | Application events | App crashes, warnings, informational messages |
| Microsoft-Windows-PowerShell/Operational | PowerShell execution events | Script execution tracking, command logging |
| Microsoft-Windows-Sysmon/Operational | Sysmon events | Advanced threat detection |
| Microsoft-Windows-TaskScheduler/Operational | Scheduled task events | Task execution and modification tracking |
- Configure the following settings for each log:
Enable/Disable: Toggle collection on or off for this log without removing it from the configuration. Disabled logs are not collected but their settings are retained for future use.
Include Event IDs: Specify which Event IDs to collect from this log. Leave blank to collect all Event IDs from the channel.
Example: 4624, 4625, 4672, 4720, 4726
Exclude Event IDs: Specify Event IDs to ignore even if they appear in the log channel. Use this to suppress high-volume or low-value events.
Example: 4634, 4648
Exclude Descriptions: Filter events by message content โ events whose description matches the specified text will be suppressed.
- Click Save
Recommended Event ID configuration:
The following Event IDs are recommended as a starting point for security monitoring. Your administrator should adjust this list based on your organization’s specific compliance and monitoring requirements.
| Event ID | Log | Description |
| 4624 | Security | Successful logon |
| 4625 | Security | Failed logon |
| 4672 | Security | Privileged logon |
| 4688 | Security | Process creation |
| 4720 | Security | User account created |
| 4726 | Security | User account deleted |
| 4732 | Security | User added to group |
| 4740 | Security | Account locked out |
| 4768 | Security | Kerberos authentication |
| 4776 | Security | NTLM authentication |
| 5136 | Security | Active Directory object modified |
Example group Event Log configuration:
The following example shows a recommended starting configuration for a Domain Controllers group:
Log: Security
Enabled: Yes
Include Event IDs: 4624, 4625, 4672, 4720, 4726, 4732, 4740, 4768, 4776, 5136
Exclude Event IDs: (none)
Description: Collect logon events, account changes, and privilege use
Editing an existing Event Log configuration:
- Navigate to the group’s Event Logs configuration
- Locate the log to edit
- Click the expand arrow to view current settings
- Click Edit
- Modify the settings as needed
- Click Save
Disabling a log without removing it:
To temporarily stop collecting from a log channel without losing its configuration:
- Navigate to the group’s Event Logs configuration
- Locate the log
- Toggle the Enable switch to off
- The log will not be collected until re-enabled
Best practices:
- Start with the Security log and the recommended Event IDs above before expanding to additional log channels
- Use Include Event IDs rather than collecting all events from a channel โ this significantly reduces forwarding volume and SIEM ingestion costs
- Use Exclude Event IDs to suppress known high-volume, low-value events such as routine service account logons
- Create separate groups for different server roles (Domain Controllers, File Servers, SQL Servers) and configure Event Log settings appropriate to each role
- Test new Event Log configurations on a small group of non-production machines before rolling out to the full environment
- Enable Windows Advanced Audit Policy on monitored machines to ensure the relevant Security Event IDs are being generated โ EventLogAgent can only collect events that Windows is actually logging
[Your administrator should review the Event Log configuration for each group regularly to confirm it remains aligned with your organization’s security monitoring and compliance requirements.]