Monitoring Windows Defender Log

madman · March 3, 2026, 2:41pm

CMK version: RAW 2.4.0p13
OS version: Debian 12

Hi, is there a (simple) way to monitor the defender logfile on windows hosts? I found many different solutions, but none of them are working for us.

Thanks in advance!

BH2005 · March 4, 2026, 2:20pm

what solution you have tested and what you aspect?

KR Bernd

Hi @madman,

There are a few approaches to monitor Windows Defender logs with Checkmk RAW. Here’s what works:

Option 1 — Windows Eventlog monitoring (built-in, recommended)
Option 2 — Local check with PowerShell
Option 3 — Forward to Event Console

madman · March 4, 2026, 4:15pm

Hi, thanks! What would I have to do for option 1? Maybe I did something wrong? I couldn’t find the rule (Enterprise only?) and online tutorials explain log forwarding to the EC.

BH2005 · March 4, 2026, 4:40pm

Agent plugin

or EC

more details tomorrow

BH2005 · March 5, 2026, 5:38am

How it`s say in “Indiana Jones and the Last Crusade”

the Grail Knight says to him:

“Choose wisely.”

Option 1 — Windows Eventlog via agent config (no Agent Bakery in CRE)

Since you’re on RAW, there’s no Agent Bakery. You need to manually configure the Windows agent on each host. Edit or create C:\ProgramData\checkmk\agent\check_mk.user.yml:

yaml

global:
  enabled: yes

logwatch:
  enabled: yes
  sendall: no
  vista_api: yes

logging:
  eventlog:
    - name: "Microsoft-Windows-Windows Defender/Operational"
      level: all

After saving, restart the Checkmk agent service, then run a service discovery on the host. You should see a new Log Microsoft-Windows-Windows Defender/Operational service.

Then use Setup > Services > Service monitoring rules > Logfile patterns to classify the relevant Event IDs (e.g. 1116 = malware detected → CRIT).

Option 2 — PowerShell Local Check (simplest for CRE)

Place a PowerShell script in C:\ProgramData\checkmk\agent\local\:

powershell

# defender_check.ps1
$events = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue |
    Where-Object { $_.Id -in @(1116, 1117, 5001) -and $_.TimeCreated -gt (Get-Date).AddHours(-1) }

if ($events | Where-Object { $_.Id -eq 1116 }) {
    Write-Output "2 Defender_Threats count=$($events.Count) Malware detected in the last hour!"
} elseif ($events | Where-Object { $_.Id -in @(1117, 5001) }) {
    Write-Output "1 Defender_Threats count=$($events.Count) Defender warning events found"
} else {
    Write-Output "0 Defender_Threats count=0 No Defender alerts in the last hour"
}

After the next agent run + service discovery, you’ll get a Defender_Threats service. No YAML config needed, works out of the box with CRE.

Option 3 — Event Console (EC)

You can also forward the Defender events to the Event Console. This works in CRE too, but requires more setup: configure Logwatch EC Forwarding rules and create EC rules to match the relevant events. This is the most powerful option but also the most complex.

Greetz Bernd

madman · March 6, 2026, 10:54am

Hej, thank you very much. Thanks to you I could finally figure out how to get Option 1 working. In the end, this yaml config did the trick:

global:
    # section may be fully disabled
    enabled: yes

logwatch:
    enabled: yes
    sendall: no
    vista_api: yes
    logfile:
      - 'Microsoft-Windows-Windows Defender/Operational': warn nocontext

To enable option global seems to be optional.