docs: updates system, windows, winlog integrations

jmikell821 · jmikell821 · commit ee3a38febeb6 · 2026-03-06T19:43:23.000-05:00
diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md
@@ -12,6 +12,14 @@ Then, you could view real-time updates to disk space used on your system in Kiba
 You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is
 less than 10% of the total disk space.
 
+## Choosing the right integration for Windows event logs
+
+If you're collecting Windows event logs, note that there are three related integrations:
+
+- **System integration** (this integration): Collects logs from the Windows `Application`, `System`, and `Security` channels with specialized ingest pipelines optimized for observability use cases.
+- **[Windows integration](https://www.elastic.co/docs/reference/integrations/windows)**: Collects logs from Windows-specific channels like PowerShell, Sysmon, Windows Defender, and AppLocker with specialized security-focused ingest pipelines. Use this for security monitoring and advanced Windows telemetry.
+- **[Custom Windows event log package](https://www.elastic.co/docs/reference/integrations/winlog)**: Collects logs from any user-defined Windows event log channel. Use this when you need to collect from channels not covered by the System or Windows integrations. Note that this integration does not include specialized ingest pipelines—you'll need to create custom pipelines if additional processing is required.
+  
 ## Data streams
 
 The System integration collects two types of data: logs and metrics.
diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
@@ -12,6 +12,14 @@ Then, you could view real-time updates to disk space used on your system in Kiba
 You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is
 less than 10% of the total disk space.
 
+## Choosing the right integration for Windows event logs
+
+If you're collecting Windows event logs, note that there are three related integrations:
+
+- **System integration** (this integration): Collects logs from the Windows `Application`, `System`, and `Security` channels with specialized ingest pipelines optimized for observability use cases.
+- **[Windows integration](https://www.elastic.co/docs/reference/integrations/windows)**: Collects logs from Windows-specific channels like PowerShell, Sysmon, Windows Defender, and AppLocker with specialized security-focused ingest pipelines. Use this for security monitoring and advanced Windows telemetry.
+- **[Custom Windows event log package](https://www.elastic.co/docs/reference/integrations/winlog)**: Collects logs from any user-defined Windows event log channel. Use this when you need to collect from channels not covered by the System or Windows integrations. Note that this integration does not include specialized ingest pipelines—you'll need to create custom pipelines if additional processing is required.
+  
 ## Data streams
 
 The System integration collects two types of data: logs and metrics.
diff --git a/packages/windows/_dev/build/docs/README.md b/packages/windows/_dev/build/docs/README.md
@@ -8,6 +8,14 @@ Then visualize that data in Kibana, create alerts to notify you if something goe
 For example, if you wanted to know if a Windows service unexpectedly stops running, you could install the Windows integration to send service metrics to Elastic.
 Then, you could view real-time changes to service status in Kibana's _[Metrics Windows] Services_ dashboard.
 
+## Choosing the right integration for Windows event logs
+
+If you're collecting Windows event logs, note that there are three related integrations:
+
+- **[System integration](https://www.elastic.co/docs/reference/integrations/system)**: Collects logs from the Windows `Application`, `System`, and `Security` channels with specialized ingest pipelines optimized for observability use cases.
+- **Windows integration** (this integration): Collects logs from Windows-specific channels like PowerShell, Sysmon, Windows Defender, and AppLocker with specialized security-focused ingest pipelines. Use this for security monitoring and advanced Windows telemetry.
+- **[Custom Windows Event Logs integration](https://www.elastic.co/docs/reference/integrations/winlog)**: Collects logs from any user-defined Windows event log channel without specialized pipelines.
+  
 ## Data streams
 
 The Windows integration collects two types of data: logs and metrics.
diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md
@@ -8,6 +8,14 @@ Then visualize that data in Kibana, create alerts to notify you if something goe
 For example, if you wanted to know if a Windows service unexpectedly stops running, you could install the Windows integration to send service metrics to Elastic.
 Then, you could view real-time changes to service status in Kibana's _[Metrics Windows] Services_ dashboard.
 
+## Choosing the right integration for Windows event logs
+
+If you're collecting Windows event logs, note that there are three related integrations:
+
+- **[System integration](https://www.elastic.co/docs/reference/integrations/system)**: Collects logs from the Windows `Application`, `System`, and `Security` channels with specialized ingest pipelines optimized for observability use cases.
+- **Windows integration** (this integration): Collects logs from Windows-specific channels like PowerShell, Sysmon, Windows Defender, and AppLocker with specialized security-focused ingest pipelines. Use this for security monitoring and advanced Windows telemetry.
+- **[Custom Windows Event Logs integration](https://www.elastic.co/docs/reference/integrations/winlog)**: Collects logs from any user-defined Windows event log channel without specialized pipelines.
+  
 ## Data streams
 
 The Windows integration collects two types of data: logs and metrics.
diff --git a/packages/winlog/_dev/build/docs/README.md b/packages/winlog/_dev/build/docs/README.md
@@ -5,6 +5,17 @@ You can get a list of available event log channels by running [`Get-WinEvent -Li
 If `Get-WinEvent` is not available, [`Get-EventLog *`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog) may be used.
 Custom ingest pipelines may be added by setting one up in [Ingest Node Pipelines](/app/management/ingest/ingest_pipelines/).
 
+## Choosing the right integration for Windows event logs
+
+Use the Custom Windows event logs integration when you need to collect events from Windows event log channels that are not covered by the prebuilt integrations. This integration provides flexibility, but does not include specialized ingest pipelines—the data is collected in its raw form.
+
+**Before using this integration**, check if one of these alternatives better fits your use case:
+
+- **[System integration](https://www.elastic.co/docs/reference/integrations/system)**: Collects from the `Application`, `System`, and `Security` channels with specialized ingest pipelines that enrich the data for observability dashboards and alerting.
+- **[Windows integration](https://www.elastic.co/docs/reference/integrations/windows)**: Collects from PowerShell, Sysmon, Windows Defender, AppLocker, and ForwardedEvents channels with security-focused ingest pipelines.
+
+Using the System or Windows integrations for their supported channels provides better out-of-the-box value because their ingest pipelines parse and enrich the event data, making it more useful for dashboards, searches, and security detections.
+
 ## Configuration
 
 ### Windows Event ID clause limit
diff --git a/packages/winlog/docs/README.md b/packages/winlog/docs/README.md
@@ -5,6 +5,17 @@ You can get a list of available event log channels by running [`Get-WinEvent -Li
 If `Get-WinEvent` is not available, [`Get-EventLog *`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog) may be used.
 Custom ingest pipelines may be added by setting one up in [Ingest Node Pipelines](/app/management/ingest/ingest_pipelines/).
 
+## Choosing the right integration for Windows event logs
+
+Use the Custom Windows event logs integration when you need to collect events from Windows event log channels that are not covered by the prebuilt integrations. This integration provides flexibility, but does not include specialized ingest pipelines—the data is collected in its raw form.
+
+**Before using this integration**, check if one of these alternatives better fits your use case:
+
+- **[System integration](https://www.elastic.co/docs/reference/integrations/system)**: Collects from the `Application`, `System`, and `Security` channels with specialized ingest pipelines that enrich the data for observability dashboards and alerting.
+- **[Windows integration](https://www.elastic.co/docs/reference/integrations/windows)**: Collects from PowerShell, Sysmon, Windows Defender, AppLocker, and ForwardedEvents channels with security-focused ingest pipelines.
+
+Using the System or Windows integrations for their supported channels provides better out-of-the-box value because their ingest pipelines parse and enrich the event data, making it more useful for dashboards, searches, and security detections.
+
 ## Configuration
 
 ### Windows Event ID clause limit
