---
title: "Windows Events"
description: "Learn how to forward Windows Event Logs to Sentry via the OpenTelemetry Protocol (OTLP)."
url: https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events/
---

# Windows Event Logs

This guide shows you how to collect Windows Event Logs and forward them to Sentry using the OpenTelemetry Collector with the [Windows Event Log Receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/windowseventlogreceiver).

## [Prerequisites](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#prerequisites)

Before you begin, ensure you have:

* A Windows Server or Windows machine (Windows Vista or later)
* A Microsoft user account with permissions to access the Windows Event Log
* A Microsoft user account with permissions to create Services (for running the collector as a service)
* A Sentry project to send data to

## [Step 1: Install the OpenTelemetry Collector](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#step-1-install-the-opentelemetry-collector)

The Windows Event Log Receiver is included in the [OpenTelemetry Collector Contrib](https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib) distribution. You'll need to download and install this version, as the standard `otelcol` binary does not include the Windows Event Log Receiver.

### [Binary Installation](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#binary-installation)

1. Download the latest `otelcol-contrib` binary from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

2. Extract the binary to a directory, for example `C:\otel-collector\`.

3. Create the service using the following command in an elevated Command Prompt or PowerShell:

```shell
sc.exe create otelcol-contrib displayname=otelcol-contrib start=delayed-auto binPath="C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config.yaml"
```

### [MSI Installation](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#msi-installation)

Alternatively, you can install the OpenTelemetry Collector using the MSI installer:

1. Download the latest MSI installer from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

2. Run the installer on your Windows Server.

3. The service named `otelcol-contrib` will be created and started automatically upon completion.

## [Step 2: Get Your Sentry OTLP Credentials](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#step-2-get-your-sentry-otlp-credentials)

You'll need your Sentry OTLP endpoint and authentication header. These can be found in your [Sentry Project Settings](https://sentry.io/settings/projects/) under **Client Keys (DSN)** > **OpenTelemetry (OTLP)**.

### [Logs Endpoint](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#logs-endpoint)

```bash
___OTLP_LOGS_URL___
```

### [Authentication Header](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#authentication-header)

```bash
x-sentry-auth: sentry sentry_key=___PUBLIC_KEY___
```

## [Step 3: Configure the Collector](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#step-3-configure-the-collector)

Create a configuration file at `C:\otel-collector\config.yaml` with the Windows Event Log Receiver and the OTLP HTTP exporter configured to send logs to Sentry.

### [Basic Configuration](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#basic-configuration)

This configuration collects logs from the three main Windows Event Log channels: Application, System, and Security.

`config.yaml`

```yaml
receivers:
  windowseventlog/application:
    channel: application
  windowseventlog/system:
    channel: system
  windowseventlog/security:
    channel: security

processors:
  resourcedetection:
    detectors: [system]
    system:
      hostname_sources: ["os"]
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - windowseventlog/application
        - windowseventlog/system
        - windowseventlog/security
      processors:
        - resourcedetection
        - batch
      exporters:
        - otlphttp/sentry
```

### [Configuration Options](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#configuration-options)

The Windows Event Log Receiver supports several configuration options:

| Option              | Default    | Description                                                                                     |
| ------------------- | ---------- | ----------------------------------------------------------------------------------------------- |
| `channel`           | *required* | The Windows Event Log channel to monitor (e.g., `application`, `system`, `security`)            |
| `start_at`          | `end`      | Where to start reading logs on first startup (`beginning` or `end`)                             |
| `poll_interval`     | `1s`       | Interval at which the channel is checked for new log entries                                    |
| `max_reads`         | `100`      | Maximum number of records read into memory before starting a new batch                          |
| `raw`               | `false`    | If `true`, the log body contains the original XML string instead of a structured representation |
| `exclude_providers` | `[]`       | List of event log providers to exclude from processing                                          |

### [Filtering Events with XML Queries](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#filtering-events-with-xml-queries)

You can use XML queries to filter specific events. This example only forwards logs from specific providers:

`config.yaml`

```yaml
receivers:
  windowseventlog/filtered:
    query: |
      <QueryList>
        <Query Id="0">
          <Select Path="Application">*[System[Provider[@Name='MyApp']]]</Select>
          <Select Path="System">*[System[Level&lt;=2]]</Select>
        </Query>
      </QueryList>
```

The query above collects:

* All events from the `MyApp` provider in the Application channel
* Events with severity level 2 (Error) or lower from the System channel

For more information on XML query syntax, see [Microsoft's Query Schema documentation](https://learn.microsoft.com/en-us/windows/win32/wes/queryschema-schema).

### [Collecting from Remote Machines](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#collecting-from-remote-machines)

You can collect Windows Event Logs from remote machines by configuring the `remote` option:

`config.yaml`

```yaml
receivers:
  windowseventlog/remote:
    channel: application
    remote:
      server: "remote-server"
      username: "user"
      password: "password"
      domain: "domain"
```

##### Remote Collection Requirements

For remote collection to work:

* The remote computer must have the "Remote Event Log Management" Windows Firewall exception enabled.
* The remote computer must be running Windows Vista or later.
* You'll need a separate receiver configuration for local event log collection.

## [Step 4: Start the Collector](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#step-4-start-the-collector)

Once you've created your configuration file, configure the restart settings and start the service:

```shell
sc.exe failure otelcol-contrib reset= 86400 actions= restart/5000/restart/5000/restart/5000
sc.exe start otelcol-contrib
```

## [Troubleshooting](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#troubleshooting)

If logs aren't appearing in Sentry, you can add a debug exporter to troubleshoot:

1. Stop the service:

```shell
sc.exe stop otelcol-contrib
```

2. Create a debug configuration file (`config_debug.yaml`) with a debug exporter:

`config_debug.yaml`

```yaml
receivers:
  windowseventlog/application:
    channel: application

processors:
  batch:

exporters:
  debug:
    verbosity: detailed
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - windowseventlog/application
      processors:
        - batch
      exporters:
        - otlphttp/sentry
        - debug
```

3. Run the collector manually to see debug output:

```shell
C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config_debug.yaml
```

4. Review the console output to verify events are being processed correctly.

5. If events are processed but not reaching Sentry, check:

   * Network connectivity to Sentry's ingestion endpoint
   * Firewall rules allowing outbound HTTPS traffic
   * The correctness of your Sentry credentials

## [Additional Resources](https://docs.sentry.io/concepts/otlp/forwarding/sources/windows-events.md#additional-resources)

* [Windows Event Log Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/windowseventlogreceiver)
* [Sentry OpenTelemetry Collector Configuration](https://docs.sentry.io/concepts/otlp/forwarding/pipelines/collector.md)
* [Sentry Logs](https://docs.sentry.io/product/explore/logs.md)