Windows Event Logs
Learn how to forward Windows Event Logs to Sentry via the OpenTelemetry Protocol (OTLP).
This guide shows you how to collect Windows Event Logs and forward them to Sentry using the OpenTelemetry Collector with the Windows Event Log Receiver.
Before you begin, ensure you have:
- A Windows Server or Windows machine (Windows Vista or later)
- A Microsoft user account with permissions to access the Windows Event Log
- A Microsoft user account with permissions to create Services (for running the collector as a service)
- A Sentry project to send data to
The Windows Event Log Receiver is included in the OpenTelemetry Collector Contrib distribution. You'll need to download and install this version, as the standard otelcol binary does not include the Windows Event Log Receiver.
Download the latest
otelcol-contribbinary from the OpenTelemetry Collector releases page.Extract the binary to a directory, for example
C:\otel-collector\.Create the service using the following command in an elevated Command Prompt or PowerShell:
sc.exe create otelcol-contrib displayname=otelcol-contrib start=delayed-auto binPath="C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config.yaml"
Alternatively, you can install the OpenTelemetry Collector using the MSI installer:
Download the latest MSI installer from the OpenTelemetry Collector releases page.
Run the installer on your Windows Server.
The service named
otelcol-contribwill be created and started automatically upon completion.
You'll need your Sentry OTLP endpoint and authentication header. These can be found in your Sentry Project Settings under Client Keys (DSN) > OpenTelemetry (OTLP).
___OTLP_LOGS_URL___
x-sentry-auth: sentry sentry_key=___PUBLIC_KEY___
Create a configuration file at C:\otel-collector\config.yaml with the Windows Event Log Receiver and the OTLP HTTP exporter configured to send logs to Sentry.
This configuration collects logs from the three main Windows Event Log channels: Application, System, and Security.
config.yamlreceivers:
windowseventlog/application:
channel: application
windowseventlog/system:
channel: system
windowseventlog/security:
channel: security
processors:
resourcedetection:
detectors: [system]
system:
hostname_sources: ["os"]
batch:
send_batch_size: 1024
send_batch_max_size: 2048
timeout: "1s"
exporters:
otlphttp/sentry:
logs_endpoint: ___OTLP_LOGS_URL___
headers:
x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
compression: gzip
encoding: proto
service:
pipelines:
logs:
receivers:
- windowseventlog/application
- windowseventlog/system
- windowseventlog/security
processors:
- resourcedetection
- batch
exporters:
- otlphttp/sentry
The Windows Event Log Receiver supports several configuration options:
| Option | Default | Description |
|---|---|---|
channel | required | The Windows Event Log channel to monitor (e.g., application, system, security) |
start_at | end | Where to start reading logs on first startup (beginning or end) |
poll_interval | 1s | Interval at which the channel is checked for new log entries |
max_reads | 100 | Maximum number of records read into memory before starting a new batch |
raw | false | If true, the log body contains the original XML string instead of a structured representation |
exclude_providers | [] | List of event log providers to exclude from processing |
You can use XML queries to filter specific events. This example only forwards logs from specific providers:
config.yamlreceivers:
windowseventlog/filtered:
query: |
<QueryList>
<Query Id="0">
<Select Path="Application">*[System[Provider[@Name='MyApp']]]</Select>
<Select Path="System">*[System[Level<=2]]</Select>
</Query>
</QueryList>
The query above collects:
- All events from the
MyAppprovider in the Application channel - Events with severity level 2 (Error) or lower from the System channel
For more information on XML query syntax, see Microsoft's Query Schema documentation.
You can collect Windows Event Logs from remote machines by configuring the remote option:
config.yamlreceivers:
windowseventlog/remote:
channel: application
remote:
server: "remote-server"
username: "user"
password: "password"
domain: "domain"
Remote Collection Requirements
For remote collection to work:
- The remote computer must have the "Remote Event Log Management" Windows Firewall exception enabled.
- The remote computer must be running Windows Vista or later.
- You'll need a separate receiver configuration for local event log collection.
Once you've created your configuration file, configure the restart settings and start the service:
sc.exe failure otelcol-contrib reset= 86400 actions= restart/5000/restart/5000/restart/5000
sc.exe start otelcol-contrib
If logs aren't appearing in Sentry, you can add a debug exporter to troubleshoot:
- Stop the service:
sc.exe stop otelcol-contrib
- Create a debug configuration file (
config_debug.yaml) with a debug exporter:
config_debug.yamlreceivers:
windowseventlog/application:
channel: application
processors:
batch:
exporters:
debug:
verbosity: detailed
otlphttp/sentry:
logs_endpoint: ___OTLP_LOGS_URL___
headers:
x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
compression: gzip
encoding: proto
service:
pipelines:
logs:
receivers:
- windowseventlog/application
processors:
- batch
exporters:
- otlphttp/sentry
- debug
- Run the collector manually to see debug output:
C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config_debug.yaml
Review the console output to verify events are being processed correctly.
If events are processed but not reaching Sentry, check:
- Network connectivity to Sentry's ingestion endpoint
- Firewall rules allowing outbound HTTPS traffic
- The correctness of your Sentry credentials
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").