Collect the FULL windows event log message

Question

I'm trying to collect the full windows event messages, all the fields plus the full message/rendered message (the view you see in windows)

It seems like if use the json method I get that message at least sometimes but then really crucial information like username domain etc are buried in the properties field, and if I use xml then I get all the fields with names etc, but I don't get that rendered message at all.

I'm used to working with winlogbeat and nxlog and this is pretty standard to do in those, but is there a way to do this in the edge agent?

Andrew Hendrix · Answer

So with the JSON method you are not getting the additional key/value pairs buried in the logs? Ensure you have the desired log path defined as well. https://docs.cribl.io/edge/usecase-windows-observability/#locate-windows-event-logs-in-the-server

JSON format includes the rendered message string, while XML does not.

https://docs.cribl.io/edge/sources-windows-event-logs/#optional-settings

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded