All Windows Server has a default Custom View in Event Viewer called "Administrative Events". This view is dynamically updated based on which features that are enabled on the server.
For example. Servers that has a Failover Cluster will have the below sections in the view (if exporting it as XML and open it in an editor):
<Select Path="Microsoft-Windows-FailoverClustering-Manager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>
<Select Path="Microsoft-Windows-FailoverClustering-WMIProvider/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>
But these paths will not appear on a server which doesn't have a Failover Cluster.
Acceptance Criteria
Make it possible to tail a Custom View which could be used to tail the default view named "Administrative Events" or user specific views. Because at least the default view is already filtered on Critical, Error and Warning.
Describe Alternatives
Another solution would be to make it possible to add a list of channels and levels like this:
logs:
- name: windows-administrative-events
winevtlog:
# List of all channels you want to collect logs from
channels:
- Application
- Security
- System
- HardwareEvents
- Microsoft-AppV-Client/Admin
- Microsoft-AppV-Client/Virtual Applications
- Microsoft-Windows-All-User-Install-Agent/Admin
- Microsoft-Windows-AppHost/Admin
- Microsoft-Windows-Application Server-Applications/Admin
- Microsoft-Windows-AppModel-Runtime/Admin
- Microsoft-Windows-User Device Registration/Admin
- Microsoft-Windows-VerifyHardwareSecurity/Admin
- Microsoft-Windows-Workplace Join/Admin
- OpenSSH/Admin
- Windows PowerShell
# Set the severity levels (1, 2, 3)
levels:
- Critical
- Error
- Warning
attributes:
logtype: windows_administrative
Dependencies
Do any other teams or parts of the New Relic product need to be considered?
No, not that I'm aware of, this will only affect the Infrastructure Agent for Windows.
workato-integration[bot]
commented
1 month ago
Description
All Windows Server has a default Custom View in Event Viewer called "Administrative Events". This view is dynamically updated based on which features that are enabled on the server.
For example. Servers that has a Failover Cluster will have the below sections in the view (if exporting it as XML and open it in an editor):
But these paths will not appear on a server which doesn't have a Failover Cluster.
Acceptance Criteria
Make it possible to tail a Custom View which could be used to tail the default view named "Administrative Events" or user specific views. Because at least the default view is already filtered on Critical, Error and Warning.
Describe Alternatives
Another solution would be to make it possible to add a list of channels and levels like this:
Dependencies
Do any other teams or parts of the New Relic product need to be considered? No, not that I'm aware of, this will only affect the Infrastructure Agent for Windows.
Additional context
N/A
Estimates
M?
For Maintainers Only or Hero Triaging this bug
Suggested Priority (P1,P2,P3,P4,P5): P2 Suggested T-Shirt size (S, M, L, XL, Unknown): Unknown