# Windows hosts Windows hosts: Event logs from core services like security, system, DNS, and DHCP for operational and forensic analysis. To collect event logs from Microsoft Windows hosts, Axoflow supports both agent-based and agentless methods. * For a collector agent, we recommend using the Axoflow OpenTelemetry Collector distribution. For details, see [Windows host - agent based solution](../../../../docs/axoflow/provisioning/windows-opentelemetry/index.md). * To use an agentless solution, see [Windows Event Collector (WEC)](../../../../docs/axoflow/data-sources/wec/index.md). ## Labels Labels assigned to data received from Windows hosts depend on how AxoRouter receives the data. For details, see [Windows host - agent based solution](../../../../docs/axoflow/provisioning/windows-opentelemetry/index.md#labels) and [Windows Event Collector (WEC)](../../../../docs/axoflow/data-sources/wec/index.md#labels). ## Sending data to Splunk When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings: sourcetype | index ---|--- `windows:eventlog:snare` | `oswin` `windows:eventlog:xml` | `oswin` If the Axoflow classification doesn’t set the source field for the message automatically, and you haven’t set it in a [flow processing step](../../../../docs/axoflow/data-management/processing/index.md#set-fields) manually (by setting the `meta.destination.splunk.source` field), AxoRouter automatically sets the source to the [name of the AxoRouter connector](../../../../docs/axoflow/reference/message-schema/reference/index.md#meta.connector.name) that received the message (for example, `axorouter-syslog-tcp-514`). ## Sending data to Google SecOps When sending the data collected from this source to a [_dynamic_ Google SecOps destination](../../../../docs/axoflow/destinations/google/secops/index.md), Axoflow sets the following log type: `WINEVTLOG, WINEVTLOG_XML, WINDOWS_DHCP, WINDOWS_DNS`. ## Sending data to Microsoft Sentinel When sending the data collected from this source to a [Microsoft Sentinel destination](../../../../docs/axoflow/destinations/microsoft/sentinel/index.md), Axoflow normalizes the data and sends it to the following tables. * Event logs from the Security channel: `SecurityEvent` * Event logs from the System channel: `SecurityEvent` * Other event logs: `WindowsEvent`