# Forwarding Windows Event Logs to Sentry via the OpenTelemetry Protocol (OTLP)

This guide shows you how to collect Windows Event Logs and forward them to Sentry using the OpenTelemetry Collector with the [Windows Event Log Receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/windowseventlogreceiver).

## [Prerequisites](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#prerequisites)

Before you begin, ensure you have:

* A Windows Server or Windows machine (Windows Vista or later)
* A Microsoft user account with permissions to access the Windows Event Log
* A Microsoft user account with permissions to create Services (for running the collector as a service)
* A Sentry project to send data to

## [Step 1: Install the OpenTelemetry Collector](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#step-1-install-the-opentelemetry-collector)

The Windows Event Log Receiver is included in the [OpenTelemetry Collector Contrib](https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib) distribution. You'll need to download and install this version, as the standard `otelcol` binary does not include the Windows Event Log Receiver.

### [Binary Installation](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#binary-installation)

1. Download the latest `otelcol-contrib` binary from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

2. Extract the binary to a directory, for example `C:\otel-collector\`.

3. Create the service using the following command in an elevated Command Prompt or PowerShell:

```shell
sc.exe create otelcol-contrib displayname=otelcol-contrib start=delayed-auto binPath="C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config.yaml"
```

### [MSI Installation](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#msi-installation)

Alternatively, you can install the OpenTelemetry Collector using the MSI installer:

1. Download the latest MSI installer from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

2. Run the installer on your Windows Server.

3. The service named `otelcol-contrib` will be created and started automatically upon completion.

## [Step 2: Get Your Sentry OTLP Credentials](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#step-2-get-your-sentry-otlp-credentials)

You'll need your Sentry OTLP endpoint and authentication header. These can be found in your [Sentry Project Settings](https://sentry.io/settings/projects/) under **Client Keys (DSN)** > **OpenTelemetry (OTLP)**.

### [Logs Endpoint](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#logs-endpoint)

```bash
___OTLP_LOGS_URL___
```

### [Authentication Header](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#authentication-header)

```bash
x-sentry-auth: sentry sentry_key=___PUBLIC_KEY___
```

## [Step 3: Configure the Collector](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#step-3-configure-the-collector)

Create a configuration file at `C:\otel-collector\config.yaml` with the Windows Event Log Receiver and the OTLP HTTP exporter configured to send logs to Sentry.

### [Basic Configuration](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#basic-configuration)

This configuration collects logs from the three main Windows Event Log channels: Application, System, and Security.

`config.yaml`

```yaml
receivers:
  windowseventlog/application:
    channel: application
  windowseventlog/system:
    channel: system
  windowseventlog/security:
    channel: security

processors:
  resourcedetection:
    detectors: [system]
    system:
      hostname_sources: ["os"]
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - windowseventlog/application
        - windowseventlog/system
        - windowseventlog/security
      processors:
        - resourcedetection
        - batch
      exporters:
        - otlphttp/sentry
```

### [Configuration Options](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#configuration-options)

The Windows Event Log Receiver supports several configuration options:

| Option              | Default    | Description                                                                                     |
| ------------------- | ---------- | ----------------------------------------------------------------------------------------------- |
| `channel`           | *required* | The Windows Event Log channel to monitor (e.g., `application`, `system`, `security`)            |
| `start_at`          | `end`      | Where to start reading logs on first startup (`beginning` or `end`)                             |
| `poll_interval`     | `1s`       | Interval at which the channel is checked for new log entries                                    |
| `max_reads`         | `100`      | Maximum number of records read into memory before starting a new batch                          |
| `raw`               | `false`    | If `true`, the log body contains the original XML string instead of a structured representation |
| `exclude_providers` | `[]`       | List of event log providers to exclude from processing                                          |

### [Filtering Events with XML Queries](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#filtering-events-with-xml-queries)

You can use XML queries to filter specific events. This example only forwards logs from specific providers:

`config.yaml`

```yaml
receivers:
  windowseventlog/filtered:
    query: |
      <QueryList>
        <Query Id="0">
          <Select Path="Application">*[System[Provider[@Name='MyApp']]]</Select>
          <Select Path="System">*[System[Level&lt;=2]]</Select>
        </Query>
      </QueryList>
```

The query above collects:

* All events from the `MyApp` provider in the Application channel
* Events with severity level 2 (Error) or lower from the System channel

For more information on XML query syntax, see [Microsoft's Query Schema documentation](https://learn.microsoft.com/en-us/windows/win32/wes/queryschema-schema).

### [Collecting from Remote Machines](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#collecting-from-remote-machines)

You can collect Windows Event Logs from remote machines by configuring the `remote` option:

`config.yaml`

```yaml
receivers:
  windowseventlog/remote:
    channel: application
    remote:
      server: "remote-server"
      username: "user"
      password: "password"
      domain: "domain"
```

##### Remote Collection Requirements

For remote collection to work:

* The remote computer must have the "Remote Event Log Management" Windows Firewall exception enabled.
* The remote computer must be running Windows Vista or later.
* You'll need a separate receiver configuration for local event log collection.

## [Step 4: Start the Collector](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#step-4-start-the-collector)

Once you've created your configuration file, configure the restart settings and start the service:

```shell
sc.exe failure otelcol-contrib reset= 86400 actions= restart/5000/restart/5000/restart/5000
sc.exe start otelcol-contrib
```

## [Troubleshooting](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#troubleshooting)

If logs aren't appearing in Sentry, you can add a debug exporter to troubleshoot:

1. Stop the service:

```shell
sc.exe stop otelcol-contrib
```

2. Create a debug configuration file (`config_debug.yaml`) with a debug exporter:

`config_debug.yaml`

```yaml
receivers:
  windowseventlog/application:
    channel: application

processors:
  batch:

exporters:
  debug:
    verbosity: detailed
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - windowseventlog/application
      processors:
        - batch
      exporters:
        - otlphttp/sentry
        - debug
```

3. Run the collector manually to see debug output:

```shell
C:\otel-collector\otelcol-contrib.exe --config C:\otel-collector\config_debug.yaml
```

4. Review the console output to verify events are being processed correctly.

5. If events are processed but not reaching Sentry, check:

   * Network connectivity to Sentry's ingestion endpoint
   * Firewall rules allowing outbound HTTPS traffic
   * The correctness of your Sentry credentials

## [Additional Resources](https://docs.sentry.io/product/drains/otlp-guides/windows-events.md#additional-resources)

* [Windows Event Log Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/windowseventlogreceiver)
* [Sentry OpenTelemetry Collector Configuration](https://docs.sentry.io/product/drains/integration/opentelemetry-collector.md)
* [Sentry Logs](https://docs.sentry.io/product/explore/logs.md)