Adding most Windows Event Logs to Log Analytics is a straightforward process. Simply go to the Advanced properties in the Workspace > Windows Event Logs and start typing the name. A pre-populated list will appear as shown below. Selected the log and add it for collection. But what if the log you are looking for is not listed in Log Analytics?
Add Custom Logs
The list in Log Analytics is not all-inclusive. It leaves out some less commonly used Event Logs and custom Event Logs added by applications. The good news is Event Logs not found in Log Analytics can simply be added to the list.
This example uses the AppV Client Admin Event Log as an example. Type AppV in the search box and notice nothing listed.
Next, go to the computer and locate the Event Log. This example uses a default install of Server 2016. The log is under Applications and Services Logs > Microsoft > AppV > Client > Admin.
Right click on the Event Log and go to properties to find the name of the log. The name is listed in the Full Name field.
Next, copy the name and paste it into the Windows Event Logs search box in Log Analytics. Click the + sign to add it and select the type of events to collect as needed. The Event Log collection blade should look similar to below when finished.
With the Custom Windows Event Log added to Log Analytics, it’s time to test. I’m going to generate some test entries in the AppV Event Log. Details on how to write to the Event Log are found here.
Give it a few minutes and run a search against the Event schema for the Event Log to see the entries. Below I limit the displayed results using the project statement.
That is all there is to adding non-standard logs to Log Analytics and searching against them.