topic Re: Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents) in Log Analytics

Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents)

36Krazyfists — Fri, 30 May 2025 08:05:50 GMT

We have some database hosts we can't install OneAgent on, so we setup Windows Event Viewer Subscriptions on a remote host that does have OneAgent installed.

Basically, the Windows Event Viewer on the "collector" host (the one that does have OneAgent installed) is subscribed to the Application and System event logs on two Windows Database Servers that don't have OneAgent installed. The collector then collects the logs from those two database servers using the Windows Event Viewer Subscriptions feature and stores them in the "Forwarded Events" log (Full Name is "ForwardedEvents") on the collector host.

I then added that Forwarded Events log as a Custom Windows Log Source in Dynatrace and I see the log entries in Dynatrace.

Great, right?

Unfortunately, no... not so great.

For some reason, Dynatrace doesn't collect two important columns, even though they do exist in the actual event log on the collector host:

"Log" and "Computer".

The Log field tells you which log the particular record came from (either Application or System in our case) and the Computer field tells you which of the two database hosts sent this particular record.

Since Dynatrace doesn't collect these two fields, I have no way of doing anything meaningful with these logs... I don't know which hosts they came from nor do I know which original event log they belonged to...

The simple solution would be to create custom Windows Event Logs and have each log for each host sent to their own respective logs in the collector's event viewer, but creating new logs in Windows isn't very straightforward.

So, is there any way to get Dynatrace to pick up and display those columns? Why doesn't Dynatrace display them? I don't get it...

Re: Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents)

MaciejNeumann — Tue, 18 Nov 2025 14:22:08 GMT

Hello @36Krazyfists,

Here is the answer I've found in our internal resources

OneAgent only extracts the limited list of attributes from Windows Event Logs. You can find it here:

Windows event logs — Dynatrace Docs

Although starting with agent version 317 there is possibility to ingest all the data from Windows Event Logs in the User Data or Event Data branches (depending on availability).

Re: Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents)

Joachim_Erdei — Thu, 20 Nov 2025 11:08:21 GMT

Hi, Forwarded Event Logs are not currently supported due to technical limitations. The situation does not look like a trivial fix. Currently there is no expected date for supporting this use case (Forwarded Event Logs). Please negotiate it with our Product Manager @TomekRybczynski (internal ticket: OA-56273)

Re: Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents)

JR79 — Fri, 21 Nov 2025 09:49:01 GMT

Hello, would there be any know possible workaround on this topic please?

Re: Some Columns Missing When Ingesting Windows Event Log "Forwarded Events" (AKA: ForwardedEvents)

Joachim_Erdei — Fri, 21 Nov 2025 11:56:58 GMT

@TomekRybczynski @marcin_okraszew Are you aware if some solution based on Generic Ingest can support this use case?