Monitoring Windows Event Logs

Last Updated On October 06, 2018
You are here:


Sonar v0.1.8 or higher


The following monitoring scenarios should be considered:

  • Monitoring event logs in Windows container deployed on Docker or Kubernetes.
  • Monitoring event log  on Windows virtual machine or host.

These scenarios are useful for monitoring specific records from OS or  your applications and cannot be collected by container orchestrators like Docker or Kubernetes.

Benefits and Liabilities

The following benefits and liabilities should be considered before monitoring event logs with Sonar:


  • Minimal performance impact – query Windows event logs within a period of time is the most efficient technique with near zero CPU cost.
  • Portability across Windows platform – Windows event log records can accessed using WMI locally or remotely.
  • Cloud-native collection – Sonar supports exposing collected records from Windows event log to InfluxDb (via UDP).
  • Deployment symmetry –  Sonar agent can be deployed as Windows service on container (including NanoServer with process isolation) or target host.
  • Using either InfluxData TICK stack enables anomaly detection and machine learning for collected event log records by application or severity.


  • InfluxDb is required for storing metrics collected by Sonar.
  • Sonar deployment in container requires configuring query for selection records from Windows event logs  that should be scraped on periodic intervals.


Configure Input Adapter

The below configuration shows how to register WMI input adapter with user credentials:

<add name="host-logs" providerName="wsman" connectionString="Server=myserver; User Id=myuser; Password=mypassword"/>

The below configuration shows how to register WMI input adapter with domain user credentials:

<add name="host-logs" providerName="wsman" connectionString="Server=myserver; User Id=myuser; Password=mypassword; Domain=mydomain"/>

To secure credentials when deploying on Kubernetes, use Sonar container or daemon configuration file to store them separately:

<add key="wsman_password" value="MyPassword111"/>

Then, substitute names of the keys in Sonar configuration file as follows:

<add name="host-logs" providerName="wsman" connectionString="Server=myserver; User Id=myuser; Password={$wsman_password}; Domain=mydomain"/>
At runtime, Sonar will resolve values from the Kubernetes secrets file to instead of main configuration file. The full example is available in Helm chart for Sonar.

Configure Server Properties

This step is required to specify additional properties for Sonar WMI input adapter. In the below example, Sonar is configured to use WMI adapter with reference to a Windows container or host resolved by DNS name “nanotest03” using Negotiate authentication protocol with explicit credentials.To complete this step, add server configuration definition as shown below:

<add name="myserver" url="http://nanotest03:5985/wsman"  timeoutMilliseconds="3000" authType="Negotiate" forceBasic="false"
username="" password=""/>

The second example shows how to configure Sonar to use specific credentials when it is hosted as using Basic authentication over HTTPS:

<add name="myserver" url="https://nanotest03:5985/wsman" timeoutMilliseconds="3000" authType="Basic" forceBasic="true"
username="" password=""/>

Note that username and password attributes for a server element are optional, because credentials are specified for each WMI adapter.

Configure Output Adapter

This step is required only collected metrics should be sent to InfluxDb time series database. To complete this step, add adapter configuration definition as shown below:

<add name="influxdb" connectionString="Data Source = udp://;Initial Catalog=sonar;User Id =; Password =; Application Name = default;Max Pool Size=100;Packet Size=4094;Connection Timeout=10"/>

Define Event Log Query

Below is an example of query to collect most recent records from Windows Security event log made within last 30 seconds:

<add name="EventLog_Security" type="wql"
filter="select TimeGenerated,Message,EventCode,ComputerName,SourceName,EventType from Win32_NTLogEvent where TimeGenerated > timeshift(15s) and LogFile=’Security’ and EventType!=0"
resource="*" namespace="root\cimv2"
<add name="ComputerName" value="ComputerName"/>
<add name="SourceName" value="SourceName"/>
<add name="EventCode" value="CimType.UInt16"/>
<add name="EventType" value="CimType.UInt8"/>

The above example uses to generate WMI query and map the result of to time series event as follows:

  • Time stamp from event record is mapped to the event time field. This allows to avoid duplicating event for the same record if it has been returned by multiple queries.
  • Event log record properties are converted from Cim values to value types for anomaly detection to avoid treating them like strings
  • Event record properties for grouping events are converted to tags.
  • Expression function timeshift(duration) is used by Sonar at the time it executes WMI query.

Create Schedule

The below example configures Sonar to execute the above query every 10 seconds and expose collected metrics to Prometheus:

<add name="s01" query="EventLog_Security" input="host-logs" output="influxdb" intervalSeconds="15"/>

The names of input and  output adapter (WS-Management and InfluxDb respectively) do match names of connection strings described above.

Deploy Sonar

After Sonar is deployed on Nano Server container, Windows virtual machine or host, the above metrics will become available in InfluxDb. The below example shows event log records Windows container (in-process isolation) in Grafana dashboard:

The graph on the right shows scrape performance in milliseconds for event record collection. The event rate time in milliseconds  indicates that Sonar consumed minimal CPU resources to query Windows event logs.