Collect Windows Event logs (XML format)

Supported in:

Google secops SIEM

This document explains how to ingest Windows Event logs in XML format to Google Security Operations using the Bindplane agent.

Windows Event Log (XML format) contains security, system, and application events generated by the Windows operating system. The Bindplane agent collects exported Windows Event log files directly from the local file system.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later with observiq-otel-collector service support
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Administrator access to the Windows hosts generating event logs

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest logs and send to Google SecOps

Locate the configuration file

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    filelog:
        include:
            - C:\Logs\winevtlog\*.evtx
        start_at: beginning

exporters:
    chronicle/winevtlog_xml:
        compression: gzip
        creds_file_path: 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: WINEVTLOG_XML
        raw_log_field: body
        ingestion_labels:
            env: production

service:
    pipelines:
        logs/winevtlog_xml_to_chronicle:
            receivers:
                - filelog
            exporters:
                - chronicle/winevtlog_xml

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- filelog: The receiver type for collecting log files from disk
- include: List of file paths to monitor. Set this to the location where you export Windows Event logs (for example, C:\Logs\winevtlog\*.evtx)
- start_at: Set to beginning to read existing logs or end to only read new entries
Exporter configuration:
- winevtlog_xml: Descriptive name for the exporter
- creds_file_path: Full path to ingestion authentication file:
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- <customer_id>: Customer ID from the previous step
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- WINEVTLOG_XML: Log type exactly as it appears in Chronicle
- ingestion_labels: Optional labels in YAML format (for example, env: production)
Pipeline configuration:
- winevtlog_xml_to_chronicle: Descriptive name for the pipeline

Save the configuration file

After editing, save the file:

Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
sc query observiq-otel-collector
```
  5. Check logs for errors:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Configure Windows Event log export

Windows Event logs are stored in channels such as Security, System, and Application. You need to export these logs to files on disk so the Bindplane agent can collect them.

Create a directory to store the exported log files:
```
mkdir C:\Logs\winevtlog
```

Export Windows Event logs using wevtutil. You can export any combination of event log channels:

wevtutil epl "Security" C:\Logs\winevtlog\security.evtx

wevtutil epl "System" C:\Logs\winevtlog\system.evtx

wevtutil epl "Application" C:\Logs\winevtlog\application.evtx

(Optional) Schedule regular exports using Windows Task Scheduler:

$action = New-ScheduledTaskAction -Execute "wevtutil" -Argument 'epl "Security" C:\Logs\winevtlog\security.evtx /ow:true'
$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Hours 1) -Once -At (Get-Date)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ExportWinEvtLogs" -Description "Export Windows Event logs for Bindplane agent"

Verify that the exported log files are being created at `C:\Logs\winevtlog`.
Ensure the Bindplane agent include path in config.yaml matches the export directory.

Note: Use wevtutil el to list all available event log channels on the Windows host. The /ow:true flag overwrites the existing export file. Adjust the export strategy based on your log retention requirements. The Bindplane agent service account must have read access to the export directory.

UDM mapping table

Log Field	UDM Mapping	Logic
EventID	metadata.product_event_type	Value copied directly
RecordNumber	metadata.product_log_id	Value copied directly
Message, Description, msg	metadata.description	Value copied directly
	metadata.event_type	Set dynamically based on event content (for example, NETWORK_CONNECTION, STATUS_UPDATE, NETWORK_DNS, GENERIC_EVENT)
	metadata.product_name	Set to "Windows"
	metadata.vendor_name	Set to "Microsoft"
ModuleVersion, ProductVersion	metadata.product_version	Value copied directly
ProviderGuid	metadata.product_deployment_id	Value copied directly
Computer, Host, Workstation, WorkstationName	principal.asset.hostname	Value copied directly
IpAddress, SourceAddress, client_ip	principal.asset.ip	Value copied directly
Computer, Host, Workstation, WorkstationName	principal.hostname	Value copied directly
IpAddress, SourceAddress, client_ip	principal.ip	Value copied directly
SourcePort, LocalPort, Client_port	principal.port	Value copied directly, converted to integer
SubjectUserName, AccountName	principal.user.userid	Value copied directly
SubjectUserSid	principal.user.windows_sid	Value copied directly
AccountDomain, SubjectDomainName, Domain	principal.administrative_domain	Value copied directly
Source, SourceName, EventSourceName	principal.application	Value copied directly
ProviderGuid	principal.asset_id	Prefixed with "Provider_GUID:"
SubjectLogonId	principal.labels	Added as label with key "SubjectLogonId"
TargetUserName	target.user.userid	Value copied directly
TargetUserSid	target.user.windows_sid	Value copied directly
TargetDomainName	target.hostname	Value copied directly
DestAddress, Destination	target.ip	Value copied directly
NewProcessName, ProcessName, ObjectName	target.process.file.full_path	Value copied directly
NewProcessId, ProcessId, TargetProcessId	target.process.pid	Value copied directly
HostApplication, ServiceName	target.process.command_line	Value copied directly
MD5	target.process.file.md5	Value copied directly
SHA1	target.process.file.sha1	Value copied directly
SHA256	target.process.file.sha256	Value copied directly
ObjectName, TargetObject	target.registry.registry_value_name	Value copied directly (for registry events)
Details	target.registry.registry_value_data	Value copied directly (for registry events)
ObjectType, Task	target.resource.type	Value copied directly
ObjectName, RuleName	target.resource.name	Value copied directly
TargetSid, ObjectGUID	target.resource.id	Value copied directly
ObjectClass	target.resource.resource_subtype	Value copied directly
LogonType	extensions.auth.auth_details	Prefixed with "Logon Type:"
	extensions.auth.type	Set based on logon type (MACHINE, SSO, AUTHTYPE_UNSPECIFIED)
HTTPMethod	network.http.method	Value copied directly
StatusCode	network.http.response_code	Value copied directly, converted to integer
UserAgent	network.http.user_agent	Value copied directly
	network.application_protocol	Set to "DNS" for DNS events
	network.direction	Set to INBOUND or OUTBOUND based on event context
	network.ip_protocol	Set based on protocol (TCP, UDP, ICMP)
Channel	additional.fields	Added as label with key "Channel"
ActivityID	additional.fields	Added as label with key "ActivityID"
LogonType	additional.fields	Added as label with key "LogonType"
Level	additional.fields	Added as label with key "level"
SourceModuleType	observer.application	Value copied directly

Need more help? Get answers from Community members and Google SecOps professionals.