# Windows Event Logs

## Overview

Panther supports ingesting Windows Event Logs through an [HTTP Source](/data-onboarding/data-transports/http.md), after they are forwarded with [Fluent Bit.](https://docs.fluentbit.io/manual/)

## How to onboard Windows Event Logs to Panther

### Step 1: Create a new Windows Event Logs source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Windows Event Logs,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![On the new log source setup page, the Windows Event Logs tile has been selected, and a slide out panel is shown. In the Transport Mechanism dropdown field, HTTP is selected. To its right is a Start Setup button.](/files/u4wVi4N8mJ2cUVHlNolp)
5. Follow Panther's [instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * When setting the **Auth method** for the source, we recommend using [**Shared Secret**](/data-onboarding/data-transports/http.md#shared-secret).
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](/data-onboarding/data-transports/http.md#payload-requirements).

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

### Step 2: Configure Fluent Bit in Windows

1. Follow the [Getting Started with Fluent Bit instructions](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) to install Fluent Bit as a service.
2. Create a [Fluent Bit configuration file](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file). See the [examples below](#fluent-bit-configuration-file-examples) for instructions on configuring System and Security log streaming or Sysmon log streaming.
   * You must use `winevtlog`. Other modules are deprecated and will not work.
   * If you are using Windows Server 2012, `Use_ANSI True` may be required.
   * If in Step 1 you chose **JSON** as your HTTP Source's **Stream Type**, in the `OUTPUT` section, provide `Format` a value of `json_lines`.
3. Start Fluent Bit, passing the path to your new config file.
   * To run Fluent Bit as a Daemon every time the machine starts, follow the [Windows Service instructions](https://docs.fluentbit.io/manual/installation/windows#windows-service-support).

#### Fluent Bit configuration file examples

{% tabs %}
{% tab title="System and Security Logs" %}
**Ingest System and Security Logs**

Configure the following in your Fluent Bit configuration file:

* `[INPUT]` variables:
  * **Channels**: Set this to `System,Security`
* `[OUTPUT]` variables:
  * **Host**: Enter your Panther URL.
    * Example: `logs.instance-name.runpanther.net`
  * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
    * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
  * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
  * **Name**: Set to `http`.
  * **TLS**: Set to `ON`.
  * **Port**: Set to `443`.

```editorconfig
[SERVICE]
    Flush 5
    Daemon off
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     System,Security
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On
```

{% endtab %}

{% tab title="Sysmon Logs" %}
**Ingest Sysmon Logs**

1. Configure `sysmon.exe` following the [guide by SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config).
   * This process will create Windows Event Logs which Fluent Bit will ship to Panther.
2. Configure the following in your Fluent Bit configuration file:
   * `[INPUT]` variables:
     * **Channels**: Set this to `Microsoft-Windows-Sysmon/Operational`
   * `[OUTPUT]` variables:
     * **Host**: Enter your Panther URL.
       * Example: `logs.instance-name.runpanther.net`
     * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
       * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
     * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
     * **Name**: Set to `http`.
     * **TLS**: Set to `ON`.
     * **Port**: Set to `443`.

```editorconfig
[SERVICE]
    Flush 5
    Daemon on
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     Microsoft-Windows-Sysmon/Operational
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On
```

{% endtab %}
{% endtabs %}

## Supported log types

### Windows.EventLogs

```yaml
schema: Windows.EventLogs
description: Windows Event Logs
referenceURL: https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-elements
fields:
  - name: ProcessID
    description: Identifies the process that generated the event.
    type: string
  - name: ThreadID
    description: Identifies the thread that generated the event.
    type: string
  - name: TimeCreated
    description: The time stamp that identifies when the event was logged.
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S %z'
    isEventTime: true
  - name: EventID
    description: The identifier that the provider used to identify the event.
    type: string
  - name: ProviderName
    description: The name of the event provider that logged the event.
    type: string
  - name: ProviderGuid
    description: The globally unique identifier that uniquely identifies the provider.
    type: string
  - name: Qualifiers
    description: A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
    type: string
  - name: Version
    description: The version number of the event's definition.
    type: string
  - name: Level
    description: The severity level defined in the event.
    type: string
  - name: Task
    description: The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Opcode
    description: The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Keywords
    description: A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
    type: string
  - name: EventRecordID
    description: The record number assigned to the event when it was logged.
    type: string
  - name: ActivityID
    description: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
    type: string
    indicators:
      - trace_id
  - name: RelatedActivityID
    description: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
    type: string
  - name: Channel
    description: The channel to which the event was logged.
    type: string
  - name: Computer
    description: The name of the computer on which the event occurred.
    type: string
    indicators:
      - username
  - name: UserID
    description: The security identifier (SID) of the user in string form.
    type: string
    indicators:
      - username
  - name: Message
    description: The rendered message string of the event.
    type: string
  - name: StringInserts
    description: A list of arbitrary event-specific data. Created by fluent-bit
    type: json
  - name: ExtraEventData
    description: Extra Key Value pair map that is extracted from the Message field. This is a field added by Panther to allow for easy structued querying/detection writing.
    type: json
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/windows-event-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.