Windows Event Log

Controls how acknowledgements are handled for this source.

When enabled, the source will wait for downstream sinks to acknowledge receipt of events before updating checkpoints. This provides exactly-once delivery guarantees at the cost of potential duplicate events on restart if acknowledgements are pending.

When disabled (default), checkpoints are updated immediately after reading events, which may result in data loss if Vector crashes before events are delivered to sinks.

Batch size for event processing.

This controls how many events are processed in a single batch.

A comma-separated list of channels to read from.

Common channels include “System”, “Application”, “Security”, “Windows PowerShell”. Use Windows Event Viewer to discover available channels.

Interval in seconds between periodic checkpoint flushes.

Controls how often bookmarks are persisted to disk in synchronous mode. Lower values reduce the window of events that may be re-processed after a crash, at the cost of more frequent disk writes.

Connection timeout in seconds for event subscription.

This controls how long to wait for event subscription connection.

The directory where checkpoint data is stored.

By default, the global data_dir option is used. Make sure the running user has write permissions to this directory.

Custom event data formatting options.

Maps event field names to custom formatting options.

The XPath query for filtering events.

Allows filtering events using XML Path Language queries. If not specified, all events from the specified channels will be collected.

Timeout in milliseconds for waiting for new events.

Controls the maximum time WaitForMultipleObjects blocks before returning to check for shutdown signals. Lower values increase shutdown responsiveness at the cost of more frequent wake-ups.

Maximum number of events to process per second.

When set to a non-zero value, Vector will rate-limit event processing to prevent overwhelming downstream systems. A value of 0 (default) means no rate limiting is applied.

Event field inclusion/exclusion patterns.

Controls which event fields are included in the output.

Ignore specific event IDs.

Events with these IDs will be filtered out and not sent downstream.

Whether to include raw XML data in the output.

When enabled, the raw XML representation of the event is included in the xml field of the output event.

Maximum age of events to process (in seconds).

Events older than this value will be ignored. If not specified, all events will be processed regardless of age.

Maximum length for event data field values.

Event data values longer than this will be truncated with “…[truncated]” appended. Set to 0 for no limit.

Only include specific event IDs.

If specified, only events with these IDs will be processed. Takes precedence over ignore_event_ids.

Whether to read existing events or only new events.

When set to true, the source will read all existing events from the channels. When set to false (default), only new events will be read.

Whether to render human-readable event messages.

When enabled (default), Vector will use the Windows EvtFormatMessage API to render localized, human-readable event messages with parameter substitution. This matches the behavior of Windows Event Viewer.

Provider DLL handles are cached per provider, so the performance cost is limited to the first event from each provider. Disable only if you do not need rendered messages and want to eliminate the DLL loads entirely.