Ingesting Windows Event Logs
- 10 Jul 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
Ingesting Windows Event Logs
- Updated on 10 Jul 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
You can enable real-time Windows Event Log (WEL) ingestion using the LimaCharlie EDR Sensor.
First, navigate to the Exfil Control section of LimaCharlie and ensure that WEL events are enabled for your Windows rules.
Next, navigate to the Artifact Collection section and set up an artifact collection rule for the Windows Event Log(s) of interest. To ingest WEL real-time events in the timeline, use the wel://[Log Name] format. For example, to ingest the System event log, you'd use the following pattern:
wel://system:*
Ingesting the Full Log
If you specify the file on disk, via the evtx file extension (as seen in the image above), LimaCharlie will read and ingest the entire Windows Event Log. This will be represented as an artifact, not real-time events.
After you apply those, you should start seeing your Windows Event Log data coming through for your endpoints. You can verify this by going into the Timeline view and choosing WEL event type.
Was this article helpful?