You can enable real-time Windows Event Logs by going to the Exfil Control section of LimaCharlie and ensuring that WEL event is selected in the list for your Windows rules.
You then will want to go into the Artifact Collection section and set up an artifact collection rule for the Windows Event Logs you want.
This is an example where we’re bringing in both real-time Windows Event Logs (those that start with wel://) as well as Windows Event Log EVTX files that exist on disk.
After you apply those, you should start seeing your Windows Event Log data coming through for your endpoints. You can verify this by going into the Timeline view and choosing WEL event type.
