How to collect Applications and Services Logs from Windows event logs

How to collect Applications and Services Logs from Windows event logs

Site24x7 AppLogs uses the Windows Management Instrumentation (WMI) query on the Site24x7 Server Monitoring agent to fetch event logs. The WMI module requires the registry entry below to read the event logs from the Applications and Services Log group.

Running the WMI query

For this, you have to first confirm if the log file can be accessed through Win32_NTLogEvent using the following WMI query in PowerShell. This is the same query that the Site24x7 Server Monitoring agent runs to collect the events.

Query: Get-WmiObject -Query "Select EventCode,SourceName,TimeGenerated,Type,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1

Here, LogFileName is the name of the category of events that you wish to collect.
From the examples we are considering here,  LogFileName can be Microsoft-Windows-PrintService/Admin or Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
If there are no results for this query, the log file cannot be accessed, and you need to add it through the Windows Registry.

A registry entry is not mandatory for all event type categories in the Applications and Services Log group. Check if your entry is present in WMI, and then add if not.

Adding through the Windows Registry

You can add event log files through the Windows Registry. For this, you have to navigate to the Windows Registry from your Windows machine and go to the Registry location.

Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

For example, if you want to collect logs from the Microsoft-Windows-PrintService/Admin category, then you need to add the below key in the Windows Registry.
Registry key: Microsoft-Windows-PrintService/Admin




When providing the Registry key, ensure that you enter the Channel value as a complete string in the registry. Follow these steps:
  1. Navigate to Event Viewer > Applications and Services Logs.
  2. Select the required category under your applications.
  3. Click the Details tab.
  4. Expand the System section.
  5. Copy the Channel value as shown in the screenshot below.
  6. Use this Channel value as a Registry key when adding to the Windows Registry, as shown in the screenshot above.


Once you add it to the Windows Registry, make sure to run the WMI query mentioned in the section "Running the WMI query," using the <LogFileName> as the registry key created above.
You have to enter this registry key while adding or editing a Log Profile for Windows event logs. For this:
  1. Log in to Site24x7 and go to Admin > AppLogs > Log Profile and click Windows Event Logs
  2. In the Edit Log Profile window that opens, paste the registry key in the field next to Windows Event Types.
  3. Click Save.


Quoting another example, if you want to collect logs from the RemoteConnectionManager/Operational category, then enter the below key.
Registry key: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

In this case, paste the above key in the field next to Windows Event Types to collect remote control manager logs.


Similarly, you can paste the required keys next to the Windows Event Types field in the Log Profile to collect other Applications and Services Logs from Windows event logs. 

    • Related Articles

    • Filtering Windows event logs before uploading

      You can filter Windows event logs in the agent side before uploading them to Site24x7. You can configure to eliminate the unwanted event IDs, so that you can skip them while uploading.  You can set these field configuration while Adding a Log Type, ...
    • How to retrieve logs from server-agent-based monitors?

      If you have a Windows agent, you can use the following path to retrieve the agent logs: Go to the installation directory > Site24x7 > WinAgent > Monitoring > Logs If you have a Linux server, you can retrieve logs for your server agent by using the ...
    • FAQs related to Windows Service monitoring

      After installing APM Insight Windows service monitoring agent , if you don't see data in the Site24x7 console, or if you are unable to add monitors, kindly follow the below given steps to troubleshoot. If few monitors are not getting added: Check for ...
    • Where are the Network Monitoring logs located?

      The default directories for installing the On-Premise Poller are: Windows: C:\Program Files(x86)\Site24x7OnPremisePoller Linux: /opt/Site24x7OnPremisePoller On-Premise Poller logs If you've installed the On-Premise Poller in the default directory ...
    • Services that are installed by the Windows server monitoring agent

      Based on the applications available in your environment, the Site24x7 Windows server agent will have all/some of the below services: 1. Site24x7 Windows Agent This is the main service that monitors the server availability and performance and posts ...