Ask the Community
Groups
Monitoring Channel (Crimson) Event Logs on MS Windows - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="make-custom-configurations-with-crimson-event-logs">Make custom configurations with Crimson Event Logs</h2> <h3 data-id="about-crimson-channel-logs">About Crimson Channel Logs</h3> <p>Windows includes two categories of event logs: Windows logs, and Applications and Services logs. This includes the event logs available in previous versions of Windows: <strong>Application</strong>, <strong>Security</strong>, and <strong>System</strong> event logs. It also includes two new logs: the <strong>Setup</strong> log and the <strong>ForwardedEvents</strong> log. </p> <h3 data-id="applications-and-services-logs">Applications and Services Logs</h3> <p>Applications and Services logs are a new category of event logs. These logs store events from a single application or component rather than events that might have a system-wide impact. This new category of event logs is referred to as an application's <em>crimson</em> channel.</p> <p>The Applications and Services logs category includes four subtypes: <strong>Admin</strong>, <strong>Operational</strong>, <strong>Analytic</strong>, and <strong>Debug</strong> logs.</p> <p>Events in Admin logs are of particular interest if you use event log records to troubleshoot problems. Events in the Admin log should provide you with guidance about how to respond to the events.</p> <p>Events in the Operational log are also useful but may require more interpretation. Admin and Debug logs aren't as user-friendly. Analytic logs (which by default are hidden and disabled) store events that trace an issue, and often a high volume of events are logged. Debug logs are used by developers when debugging applications.</p> <h3 data-id="configuring-endpoint-event-monitor-for-crimson-logs">Configuring Endpoint Event Monitor for Crimson Logs</h3> <p> 1. From the RocketCyber Dashboard click on the <strong>Configure</strong> button on the Endpoint Event Log Monitor App Card.</p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/EMKUNAX22LFN/screen-shot-2020-04-01-at-2-49-16-pm.png" alt="screen-shot-2020-04-01-at-2-49-16-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> </p> <p> 2. In the App Configuration Dialog, click on <strong>Add Custom Event From Channel</strong></p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/OBB86IZ6IKXN/screen-shot-2020-04-01-at-2-49-03-pm.png" alt="screen-shot-2020-04-01-at-2-49-03-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> 3. In the <strong>Custom Event From Channel</strong> pane, enter the required information:</p> <ul><li> <strong>EventID</strong> - The numeric ID of the specific event you want to monitor</li> <li> <strong>Description</strong> - A description of the event</li> <li> <strong>Channel Path</strong> - The path of the event channel you wish to log</li> <li> <strong>Verdict</strong> - The verdict of the log type (informational, suspicious, malicious)</li> <li> <strong>Query</strong> - Leave blank. Reserved for future use</li> </ul><figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/CGY89O68J2FR/screen-shot-2020-04-01-at-2-51-53-pm.png" alt="screen-shot-2020-04-01-at-2-51-53-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> </p> <p> 4. Click <strong>Update </strong>or<strong> Create</strong> to save the channel event to the configuration.</p> <p>Once the configuration has been saved the agents will be notified of the updated configuration and will begin monitoring for the updated event list.</p> </article> </main>