Windows event monitoring

You can also browse for the Windows Event Log using the ellipsis The computer that you are connecting to may contain other Event Logs.

The list shows all the filters that have been configured to filter the events that are generated in the log that you have specified. To edit or remove an item in the list, select it and click Edit or Remove as applicable. To add an event filter 1. Click Add to open the Filter Properties dialog box. Select the property of the event log entry that you are filtering against. Specify the relation you are using to compare the value of the event property to the filter value.

For Event ID you can specify is different than , is equal to , is lower than , is lower than or equals , is more than , and is more than or equals. Specify the filter value that you are comparing the event property against.

For Category , Description , and Source , enter the string that is contained within the property. For the Type condition, select the specific type of event that you want to filter for such as Error , Warning , Information , Success Audit , or Failure Audit. When you select Create , your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. After the profile is assigned , be sure to monitor its status. Skip to main content.

This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Azure Monitor only collects events from the Windows event logs that are specified in the settings. For each log, only the events with the selected severities are collected. Check the severities for the particular log that you want to collect. You cannot provide any additional criteria to filter events. As you type the name of an event log, Azure Monitor provides suggestions of common event log names.

If the log you want to add does not appear in the list, you can still add it by typing in the full name of the log. You can find the full name of the log by using event viewer. In event viewer, open the Properties page for the log and copy the string from the Full Name field. You can't configure collection of security events from the workspace. Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created.

The agent records its place in each event log that it collects from. If the agent goes offline for a period of time, then it collects events from where it last left off, even if those events were created while the agent was offline.