LimaCharlie gives security professionals the ability to collect Windows Event Log (WEL) data in real-time or in batch from disk (follow this guide to configure collection of WEL using the LimaCharlie Sensor).
There might be times when you would not want to deploy the LimaCharlie agent on the endpoint, but you would still like to connect Windows Event Logs from the system. You can accomplish this by leveraging the LimaCharlie Adapter.
To get started, navigate to the
Sensors page in the LimaCharlie web app &
Add Sensor. From the list of Sensors, select Windows Event Logs (note: you need to select
Windows Event Logs, not
Windows which is an EDR sensor with detection & response capabilities).
Select or create an installation key.
Download the executable for Windows x86-64 and set the ingestion method to the Windows Event Logs API.
Give a unique name to this sensor (the name that will be displayed on the Sensors view).
Add the comma-separated list of event sources, following the example in the web app or the technical documentation.
When complete, run the adapter with the command line copied from the web app.