Collecting from applications and services logs
By default, the Windows Event Logs probe collects event messages from the Windows Logs. All events of the type Information and Audit Success are excluded from collection.
On the first collection, the Windows Event Logs probe collects all events that have occurred over the past one hour. Subsequent collections will collect starting from the time of the most current event.
Starting with release 10.2.01 P10, the Windows Event Logs probe has been enhanced to provide the collection of Events from the Applications and Services Logs.
To enable this collection, set two Advanced Parameters:
WINDOWS_EVENTLOGS_NAME_FILTER
WINDOWS_EVENTLOGS_INFO_EVENTID_FILTER (optional)
The parameter WINDOWS_EVENTLOGS_NAME_FILTER is set to the log name or group of logs to collect from. Wild card characters are supported. For example, to collect from the Windows SMB logs (which are presented by Windows Event Viewer in the folder structure Applications and Services Logs/Microsoft/Windows/SMBClient and Applications and Services Logs/Microsoft/Windows/SMBServer etc.) enter Microsoft-Windows-SMB* as the parameter value.
See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent in the LogName section regarding what type of values are supported.
By default only Critical, Error and Warning events are collected. To also collect Information Events, set the WINDOWS_EVENTLOGS_INFO_EVENTID_FILTER parameter. Setting the value to '*' enables all Information Events to be collected. You can specify certain Event IDs by entering values such as 'EventID=30811 or EventID=1012' which will only collect Information events that match these EventIDs.