Collect Event ID 307 using Insight Agent

Is it possible to use the Insight Agent to send Microsoft-Windows-PrintService/Operational logs (C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Operational.evtx)? I’ve looked through the documentation on using the logging.json file and seems that the file will only send all Application, System and Security events to the platform, or if using the tailing function, that will only work on UTF-8 text files (not evtx files).
Would forwarding logs to a WEF server and then use that WEF server as a collection source work?

HI Levi,

the agent cannot collect these logs, configuring them to be forwarded via a WEF server wouldn’t work to have the agent process these logs on the target server either, as to my knowledge they are forwarded to a log which is not in Security, System or Application.

Nxlog would be an option to forward these logs to the platform however.


not sure with the agent, but you could set an asset up as an event source to collect this but 307 is not part of the event ID’s it picks up so you would have to select the “raw” logs as well