Windows Event Log – Built-in Event Viewer Integration

On Windows installations, MideyeServer automatically logs events to the Windows Event Viewer via a custom JNA (Java Native Access) appender. This integration is enabled by default and requires no configuration.

Key features:

• Events appear in Event Viewer → Windows Logs → Application
• Event source: “Mideye Server 6”
• Default filter: WARN-level and higher from MideyeServer components (com.mideye.*)
• Level mapping: INFO → Information, WARN → Warning, ERROR → Error
• Integrates with Windows Event Forwarding (WEF) for centralized collection

Note

This appender is Windows-only and uses JNA to call the Win32 ReportEvent() API. On Linux systems, the WINDOWS appender is present in logback.xml but is silently ignored.

---

Viewing events

Using Event Viewer

1. Open Event Viewer

   • Press Windows + R, type eventvwr.msc, and press Enter
   • Or: Server Manager → Tools → Event Viewer

2. Navigate to Application Log

   • Expand Windows Logs
   • Click Application

3. Filter by Source

   • Right-click Application → Filter Current Log…
   • In Event sources, check Mideye Server 6
   • Click OK

Using PowerShell

# View last 50 MideyeServer events
Get-EventLog -LogName Application -Source "Mideye Server 6" -Newest 50

# View only ERROR events
Get-EventLog -LogName Application -Source "Mideye Server 6" -EntryType Error -Newest 20

# View events from the last 24 hours
Get-EventLog -LogName Application -Source "Mideye Server 6" -After (Get-Date).AddDays(-1)

# Export to CSV
Get-EventLog -LogName Application -Source "Mideye Server 6" -Newest 100 |
    Export-Csv -Path C:\temp\mideye-events.csv -NoTypeInformation

Using command line

REM View MideyeServer events
wevtutil qe Application "/q:*[System[Provider[@Name='Mideye Server 6']]]" /f:text /c:50

REM View only ERROR events (Level=2)
wevtutil qe Application "/q:*[System[Provider[@Name='Mideye Server 6'] and Level=2]]" /f:text

---

Event level mapping

MideyeServer log levels are mapped to Windows Event Log levels as follows:

Logback Level	Windows Event Type	Event Viewer Level	Category
TRACE	EVENTLOG_INFORMATION_TYPE	Information	1
DEBUG	EVENTLOG_INFORMATION_TYPE	Information	2
INFO	EVENTLOG_INFORMATION_TYPE	Information	3
WARN	EVENTLOG_WARNING_TYPE	Warning	4
ERROR	EVENTLOG_ERROR_TYPE	Error	5

Default filter: Only WARN and higher events from com.mideye.* loggers are written to Windows Event Log.

---

Configuration

The Windows Event Log appender is configured in the Windows-specific logback.xml file:

Location: C:\Program Files (x86)\Mideye Server 6\config\logback.xml

Default configuration

logback.xml (Windows)

<appender name="WINDOWS" class="com.mideye.mideyeserver.logging.JNAAppender">
    <!-- Threshold filter: only WARN and higher -->
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
        <level>WARN</level>
    </filter>

    <!-- Logger filter: only com.mideye.* loggers -->
    <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
        <evaluator>
            <expression>return logger.startsWith("com.mideye");</expression>
        </evaluator>
        <OnMismatch>DENY</OnMismatch>
        <OnMatch>NEUTRAL</OnMatch>
    </filter>
</appender>

<!-- Attach to root logger at WARN level -->
<root level="WARN">
    <appender-ref ref="WINDOWS"/>
</root>

Changing the threshold level

To log more events (e.g., INFO and higher), change the threshold filter level:

logback.xml (Windows)

<appender name="WINDOWS" class="com.mideye.mideyeserver.logging.JNAAppender">
    <!-- Change from WARN to INFO -->
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
        <level>INFO</level>
    </filter>

    <!-- Logger filter: only com.mideye.* loggers -->
    <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
        <evaluator>
            <expression>return logger.startsWith("com.mideye");</expression>
        </evaluator>
        <OnMismatch>DENY</OnMismatch>
        <OnMatch>NEUTRAL</OnMatch>
    </filter>
</appender>

Caution

Lowering the threshold to INFO or DEBUG will significantly increase the number of events written to the Event Log. Monitor disk space usage and consider implementing Event Log retention policies.

Removing the logger filter

To log events from all components (including third-party libraries), remove the logger filter:

logback.xml (Windows)

<appender name="WINDOWS" class="com.mideye.mideyeserver.logging.JNAAppender">
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
        <level>WARN</level>
    </filter>
    <!-- Logger filter removed -->
</appender>

Caution

Removing the logger filter will include events from Spring, Hibernate, and other libraries, which can generate a large volume of events and make it difficult to identify MideyeServer-specific issues.

---

Windows Event Forwarding (WEF)

Windows Event Forwarding allows centralized collection of events from multiple Windows servers to a central Windows Event Collector (WEC).

Prerequisites

• Source Computer (MideyeServer): Windows Server 2016+ or Windows 10+
• Collector Computer: Windows Server with Event Collector service
• Domain membership (for domain-based authentication) or certificate-based authentication

Configuring the source (MideyeServer)

1. Enable WinRM service

   # Enable WinRM
   winrm quickconfig
   
   # Verify WinRM is running
   Get-Service WinRM

2. Configure Windows Remote Management

   # Add Event Collector to allowed forwarding
   wecutil qc

3. Set Event Log permissions

   # Grant Network Service read access to Application log
   wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Configuring the collector

1. Enable Event Collector service

   # Enable and start Windows Event Collector
   wecutil qc
   
   # Verify service is running
   Get-Service Wecsvc

2. Create a subscription

   • Open Event Viewer → Subscriptions
   • Right-click Subscriptions → Create Subscription…
   • Subscription name: MideyeServer Events
   • Destination log: Forwarded Events
   • Click Select Computers… → Add MideyeServer computer(s)
   • Click Select Events… → Configure filter:
     • Event level: Warning, Error
     • Event logs: Windows Logs → Application
     • Event sources: Mideye Server 6
   • Click OK to save the subscription

3. Verify forwarding

   On the collector, open Event Viewer → Forwarded Events and look for MideyeServer events.

Using XML-based subscription

Create a subscription XML file for scripted deployment:

mideyeserver-subscription.xml

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>MideyeServer-Events</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Collect MideyeServer events from all servers</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Delivery Mode="Push">
        <Batching>
            <MaxItems>5</MaxItems>
            <MaxLatencyTime>300000</MaxLatencyTime>
        </Batching>
        <PushSettings>
            <Heartbeat Interval="3600000"/>
        </PushSettings>
    </Delivery>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Application">
                    *[System[Provider[@Name='Mideye Server 6'] and (Level=2 or Level=3)]]
                </Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
    <ReadExistingEvents>true</ReadExistingEvents>
    <TransportName>HTTP</TransportName>
    <ContentFormat>RenderedText</ContentFormat>
    <Locale Language="en-US"/>
    <LogFile>ForwardedEvents</LogFile>
    <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>

Import the subscription:

wecutil cs mideyeserver-subscription.xml

---

Event Log retention

Configure retention policies to prevent the Application log from filling up:

Using Event Viewer

1. Open Event Viewer
2. Right-click Application → Properties
3. Set Maximum log size (e.g., 100 MB)
4. Choose Overwrite events as needed or Archive the log when full

Using PowerShell

# Set Application log to 100 MB and overwrite as needed
Limit-EventLog -LogName Application -MaximumSize 100MB -OverflowAction OverwriteAsNeeded

# View current settings
Get-EventLog -List | Where-Object {$_.Log -eq "Application"}

---

Troubleshooting

Events not appearing in Event Viewer

Check MideyeServer is running:

Get-Service | Where-Object {$_.DisplayName -like "*Mideye*"}

Check logback.xml syntax:

Look for Logback errors in MideyeServer’s console output or log files.

Verify event source is registered:

MideyeServer registers “Mideye Server 6” as an event source on startup. Check Windows Registry:

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\Mideye Server 6"

If missing, restart MideyeServer to re-register the source.

WEF subscription not collecting events

Check WinRM connectivity:

Test-WSMan -ComputerName mideyeserver.example.com

Check subscription status:

# On collector
wecutil gs "MideyeServer-Events"

Check subscription runtime status:

wecutil gr "MideyeServer-Events"

Enable diagnostic logging:

# On source computer
wevtutil sl Microsoft-Windows-Forwarding/Operational /e:true
wevtutil sl Microsoft-Windows-EventCollector/Operational /e:true

Performance issues

If Windows Event Log appender causes performance issues:

Increase threshold to ERROR only:

logback.xml (Windows)

<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
    <level>ERROR</level>
</filter>

Disable Windows Event Log appender:

Remove or comment out the WINDOWS appender reference:

logback.xml (Windows)

<!-- Comment out to disable
<root level="WARN">
    <appender-ref ref="WINDOWS"/>
</root>
-->

---

Technical details

The Windows Event Log appender uses JNA (Java Native Access) to call the Win32 Event Logging API:

• RegisterEventSource() — Registers “Mideye Server 6” event source
• ReportEvent() — Writes log entries to the Application log
• DeregisterEventSource() — Cleans up on shutdown

Source code: src/main/java/com/mideye/mideyeserver/logging/JNAAppender.java

The appender was derived from org.dblock.log4jna.nt.Win32EventLogAppender (Apache 2.0 license) and adapted for Logback.

---

Related documentation

• Overview: Logback configuration file locations
• Log Levels: Configure what events are logged to Windows Event Log
• Syslog: Alternative log forwarding for Linux systems
• Log Aggregators: Centralized logging alternatives to WEF