Getting Windows Event Log (WEL) files from disk can be very helpful when first getting the LimaCharlie agent set up on an endpoint as it will bring in historical logs. These are brought in as a batch every few minutes.

Example pattern to use for a Windows Event Log file on disk related to PowerShell:

You should also consider adding realtime WEL events to your artifact collection rules as these are considered to be first-class LimaCharlie telemetry and are ingested in realtime. These realtime events are processed by the LimaCharlie D&R rules engine at wire speed so you can take action even faster.

Example pattern to use for realtime Windows Event Log data related to PowerShell:

One of the additional benefits of using realtime Windows Event Log collection is that these logs are stored alongside other telemetry data captured by the LimaCharlie agent for a full year.

You can collect both realtime Windows Event Logs as well as logs from disk on the same endpoint.