Fluentd plugin to read the Windows Event Log.
ridk exec gem install fluent-plugin-windows-eventlog
Check in_windows_eventlog2 first. in_windows_eventlog
will be replaced with in_windows_eventlog2
.
fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
<source>
@type windows_eventlog
@id windows_eventlog
channels application,system
read_interval 2
tag winevt.raw
<storage>
@type local # @type local is the default.
persistent true # default is true. Set to false to use in-memory storage.
path ./tmp/storage.json # This is required when persistent is true.
# Or, please consider using <system> section's `root_dir` parameter.
</storage>
</source>
name | description |
---|---|
channels |
(option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
keys |
(option) A subset of keys to read. Defaults to all keys. |
read_interval |
(option) Read interval in seconds. 2 seconds as default. |
from_encoding |
(option) Input character encoding. nil as default. |
encoding |
(option) Output character encoding. nil as default. |
read_from_head |
(option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to false . |
<storage> |
Setting for storage plugin for recording read position like in_tail 's pos_file . |
parse_description |
(option) parse description field and set parsed result into the record. parse and string_inserts fields are removed |
This plugin reads the following fields from Windows Event Log entries. Use the keys
configuration option to select a subset. No other customization is allowed for now.
key |
---|
record_number |
time_generated |
time_written |
event_id |
event_type |
event_category |
source_name |
computer_name |
user |
description |
string_inserts |
Here is an example with parse_description true
.
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
"string_inserts": [
"Administrator",
"TEST",
"S-XXX-YYY-ZZZ",
"S-XXX",
"TEST$",
"WORKGROUP",
"0x3e7",
"0x7dc",
"C:\\Windows\\System32\\LogonUI.exe"
]
}
This record is transformed to
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description_title": "A user's local group membership was enumerated.",
"subject.security_id": "S-XXX",
"subject.account_name": "TEST$",
"subject.account_domain": "WORKGROUP",
"subject.logon_id": "0x3e7",
"user.security_id": "S-XXX-YYY-ZZZ",
"user.account_name": "Administrator",
"user.account_domain": "TEST",
"process_information.process_id": "0x7dc",
"process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
}
NOTE: This feature assumes description
field has following formats:
- group delimiter:
\r\n\r\n
- record delimiter:
\r\n\t
- field delimiter:
\t\t
If your description
doesn't follow this format, the parsed result is only description_title
field with same description
content.
fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to in_windows_eventlog
. See also this slide for the details of in_windows_eventlog2
plugin.
<source>
@type windows_eventlog2
@id windows_eventlog2
channels application,system
read_interval 2
tag winevt.raw
render_as_xml false # default is true.
rate_limit 200 # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
<storage>
@type local # @type local is the default.
persistent true # default is true. Set to false to use in-memory storage.
path ./tmp/storage.json # This is required when persistent is true.
# Or, please consider using <system> section's `root_dir` parameter.
</storage>
<parse>
@type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
</parse>
</source>
NOTE: in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.
NOTE: When Description
contains error message such as The message resource is present but the message was not found in the message table.
, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
NOTE: When render_as_xml
as false
, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying render_as_xml
as false
should be faster consuming than render_as_xml
as true
case.
NOTE: If you encountered CPU spike due to massively huge EventLog channel, rate_limit
parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(Winevt::EventLog::Subscribe::RATE_INFINITE
).
name | description |
---|---|
channels |
(option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
keys |
(option) A subset of keys to read. Defaults to all keys. |
read_interval |
(option) Read interval in seconds. 2 seconds as default. |
from_encoding |
(option) Input character encoding. nil as default. |
<storage> |
Setting for storage plugin for recording read position like in_tail 's pos_file . |
<parse> |
Setting for parser plugin for parsing raw XML EventLog records. |
parse_description |
(option) parse description field and set parsed result into the record. Description and EventData fields are removed |
This plugin reads the following fields from Windows Event Log entries. Use the keys
configuration option to select a subset. No other customization is allowed for now.
key |
---|
ProviderName |
ProviderGuid |
EventID |
Qualifiers |
Level |
Task |
Opcode |
Keywords |
TimeCreated |
EventRecordId |
ActivityID |
RelatedActivityID |
ProcessID |
ThreadID |
Channel |
Computer |
UserID |
Version |
Description |
EventData |
Here is an example with parse_description true
.
{
"ProviderName": "Microsoft-Windows-Security-Auditing",
"ProviderGUID": "{D441060A-9695-472B-90BC-24DCA9D503A4}",
"EventID": "4798",
"Qualifiers": "",
"Level": "0",
"Task": "13824",
"Opcode": "0",
"Keywords": "0x8020000000000000",
"TimeCreated": "2019-06-19T03:10:01.982940200Z",
"EventRecordID": "87028",
"ActivityID": "",
"RelatedActivityID": "{2599DE71-2F70-44AD-9DC8-C5FF2AE8D1EF}",
"ThreadID": "16888",
"Channel": "Security",
"Computer": "DESKTOP-TEST",
"UserID": "",
"Version": "0",
"Description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-Z\r\n\tAccount Name:\t\tDESKTOP-TEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ0\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-TEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xbac\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n",
"EventData": [
"Administrator",
"DESKTOP-TEST",
"S-XXX-YYY-ZZZ",
"S-X-Y-Z",
"DESKTOP-TEST$",
"WORKGROUP",
"0x3e7",
"0xbac",
"C:\\Windows\\System32\\svchost.exe"
]
}
This record is transformed to
{
"ProviderName": "Microsoft-Windows-Security-Auditing",
"ProviderGUID": "{D441060A-9695-472B-90BC-24DCA9D503A4}",
"EventID": "4798",
"Qualifiers": "",
"Level": "0",
"Task": "13824",
"Opcode": "0",
"Keywords": "0x8020000000000000",
"TimeCreated": "2019-06-19T03:10:01.982940200Z",
"EventRecordID": "87028",
"ActivityID": "",
"RelatedActivityID": "{2599DE71-2F70-44AD-9DC8-C5FF2AE8D1EF}",
"ThreadID": "16888",
"Channel": "Security",
"Computer": "DESKTOP-TEST",
"UserID": "",
"Version": "0",
"DescriptionTitle": "A user's local group membership was enumerated.",
"subject.security_id": "S-X-Y-Z",
"subject.account_name": "DESKTOP-TEST$",
"subject.account_domain": "WORKGROUP",
"subject.logon_id": "0x3e7",
"user.security_id": "S-XXX-YYY-ZZZ",
"user.account_name": "Administrator",
"user.account_domain": "DESKTOP-TEST",
"process_information.process_id": "0xbac",
"process_information.process_name": "C:\\Windows\\System32\\svchost.exe"
}
NOTE: This feature assumes description
field has following formats:
- group delimiter:
\r\n\r\n
- record delimiter:
\r\n\t
- field delimiter:
\t\t
If your description
doesn't follow this format, the parsed result is only description_title
field with same description
content.
Copyright(C) 2014- @okahashi117
Apache License, Version 2.0