Skip to main content

Windows Datasets

Windows datasets define collection rules for Windows devices (dataset type windows). The collector types below, including file log collection, are configured through the dataset creation wizard — see Management. For the dataset and profile model, see Overview.

Collector Types

  • Windows Security Events (windows_security_log_collector): Event category selector with four modes — ALL, MINIMAL, COMMON, or CUSTOM. Custom mode opens an XML editor for XPath filter expressions.
  • Windows Event Logs (windows_event_log_collector): Basic mode selects predefined channels (Application, System) with severity level filters. Custom mode provides an XPath expression editor with optional DCR config import.
  • Data Collection Rule Collector (data_collection_rule_collector): Custom-only XPath editor for Data Collection Rule queries. Supports importing DCR configuration that is automatically converted to XPath format.
  • Windows Firewall Logs (windows_firewall_log_collector): Profile selection for firewall log collection — Domain, Private, and/or Public.
  • Windows DNS Logs (windows_dns_log_collector): Include/exclude filter system with configurable conditions for DNS query fields (event ID, response code, question type, IP addresses, question name).
Advanced Dataset Types

The backend supports additional dataset types that are not exposed in the UI: windows_main_log_collector, windows_system_log_collector, windows_application_log_collector, windows_object_access_log_collector, and windows_security_threat_analyzer. These are used internally and may appear in API responses or configuration exports.

File Log Collection

The windows_file_log_collector collects lines from arbitrary log files on Windows hosts. It supports glob path expansion, lookback-based backfill, multiline parsing, include/exclude filtering, character-set decoding, and per-pipeline routing. The path syntax uses Windows-style paths (e.g. C:\Logs\*\app-*.log).

note

File log datasets can be created through the dataset creation wizard (Windows File Logs) or configured via device YAML files under config/devices/ using the schema below.

Loading include...

Example

Collecting IIS access logs on Windows with Western European encoding, rolling over daily log files by glob...

devices:
  - id: 123456
    name: iis-windows
    type: windows
    status: true
    properties:
      file_log_concurrency: 1
    definitions:
      - name: windows_file_log_collector
        status: true
        inputs:
          - id: 2001
            name: IIS Logs
            status: true
            properties:
              path: C:\inetpub\logs\LogFiles\W3SVC1\*.log
              start_date: 300
              line_parser:
                type: regex
                regex: '^\d{4}-\d{2}-\d{2}'
              encoding: windows-1252
              pipeline_name: my-pipeline