Windows Event Logs

Collect, analyse, and act on Windows Event Logs from servers and workstations across your environment. Cloudmon surfaces security threats, application failures, logon activity, and system events in a unified dashboard, with built-in AI assistance to decode and contextualise each log entry.

Overview

Windows Event Log monitoring in Cloudmon collects logs from Windows servers and workstations using the Cloudmon agent installed on each target machine. Once configured, logs flow into a dedicated dashboard under Logs → Windows Event Logs, giving your team a consolidated view of events across your entire Windows infrastructure without needing to log into individual machines.

Cloudmon includes built-in rules that automatically monitor key security-related events such as failed logons, account lockouts, access violations, and log tampering. These run out of the box with no additional setup. For organisation-specific requirements, custom log rules can be defined to monitor any event pattern, tag entries, raise alarms, or discard irrelevant logs before they reach the database. Cloudmon also integrates with Azure OpenAI to provide AI-assisted log analysis, automatically interpreting and contextualising log entries so your team can understand and respond to events faster.

Prerequisites

Before Windows Event Logs can be collected, the following must be in place:

• The Cloudmon agent must be installed on each Windows server or workstation you want to monitor. Refer to Agent Installation for setup steps.
• A Log Profile must be created in Cloudmon to define which event log types to collect and which devices to target. See the Configuration section below.

Configuration

To configure Windows Event Log collection, navigate to Settings → Configurations → Log Profiles and click Add. Fill in the fields as follows:

Click Save to activate the profile. Once saved, the Windows Event Logs dashboard becomes available under Logs → Windows Event Logs. To view logs for a specific server, navigate to Agents → [Server Name] → WEL tab.

What Cloudmon Monitors

The Windows Event Logs dashboard presents a full picture of activity across your Windows estate. The summary counters at the top of the dashboard track high-priority event categories including Successful Application Installations, Failed Application Installations, Application Crashes, Bad Disk Sectors, Unexpected Shutdowns, Restart Required, Application Hangs, Failed Windows Updates, and Successful Logons.

Below the summary counters, events are further broken down by level and category. Event levels, covering Audit Success, Information, Warning, and Error, are displayed both as totals and as a donut chart showing the proportional distribution. Task Categories presents a pie chart of logon activity types including Logon, Logoff, Special Logon, Credential Validation, Security Group Management, and Windows Update Agent events.

The dashboard also surfaces the following panels to give deeper operational and security context:

• Logon Stats: a bar chart breaking down authentication events by type, including NTLM Authentication, Privileged Logon, Logoff, and Successful Logon counts.
• Network Events: tracks network-related Windows events across the monitored estate.
• Top Applications: a ranked table of the applications generating the highest event volume, useful for spotting noisy or failing applications quickly.
• Log Summary: a donut chart breaking down events by log channel, covering Security, System, and Application, showing where the bulk of activity originates.
• User Account Changes: tracks create, modify, and delete activity on user accounts, supporting change auditing and compliance workflows.
• Peripheral Device Events: monitors connection and disconnection of USB and other peripheral devices across servers.
• System Events by Severity: a donut chart categorising system-channel events by Information, Warning, and Error severity.
• Potential Security Threats: a donut chart highlighting Privileged Logon, NTLM Authentication, and Successful Logon proportions that may indicate lateral movement or credential abuse.
• DNS Server Events: tracks DNS-related activity recorded in Windows Event Logs on DNS server roles.
• Firewall Rule Changes: flags modifications to Windows Firewall rules, which are key indicators of policy tampering or misconfiguration.
• Top Computers: ranks devices by total event count, making it easy to identify the most active or noisy machines in the environment.
• Frequent Events: a donut chart and legend of the most commonly occurring event IDs, useful for identifying recurring issues or noise sources.

Assistive AI for Log Analysis

Cloudmon integrates with Azure OpenAI to provide AI-assisted analysis of Windows Event Log entries. When viewing a log entry, click the AI button adjacent to the entry to trigger analysis. Cloudmon will return a structured breakdown covering an Overview of the event, its potential Impact, a plain-language Summary, and Troubleshoot and Analyse guidance to help your team understand and respond to the event quickly.

To enable this feature, an Azure OpenAI integration must be configured. Navigate to Settings → Configurations → Integrations, locate the Azure OpenAI Service widget, click Add, and enter your Target URI and API Key from your Azure OpenAI resource. Click Save to activate.

Log Rules

Log rules allow you to control how Cloudmon processes Windows Event Log entries as they arrive, before they reach the dashboard or database. Rules can tag entries for filtering, raise alarms on specific event patterns, discard irrelevant logs to reduce noise, stop further rule processing for a matched entry, or generate a custom event record. To configure log rules, navigate to Settings → Configurations → Log Rules, click Add, set the Log Type to Windows Event Logs, and define your conditions and actions.