Win eventlog input plugin

[anuar45]

Required for all PRs:

• Signed CLA.
• Associated README.md updated.
• Has appropriate unit tests.

Feature #4525

[natejgardner]

@danielnelson we're really looking forward to this feature

[vavdoshka]

guys, is there any plan about merging this?

[utsah87]

@anuar45 Can this plugin be updated to have a user defined filter to filter events on the basis of source and event ids. i.e. if we want to have winlog events for a particular source and for any defined EventIDs.

[anuar45]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...

reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

[utsah87]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...

reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

Thanks for the reply. Am able to use this correctly now.
One more question is that we are getting the timestamp for application logs but not for System logs, is this as per design or need to be fixed. Below are set of data for both channels logs:
win_eventlog,eventlog_name=Application,host=abcd.com,level=4 record_id=34287i,event_id=105i,description="Test event" 159421080000000000
win_eventlog,eventlog_name=System,host=abcd.com,level=4 record_id=12239i,event_id=7036i,description="Test winlog event"

[anuar45]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...
reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

Thanks for the reply. Am able to use this correctly now.
One more question is that we are getting the timestamp for application logs but not for System logs, is this as per design or need to be fixed. Below are set of data for both channels logs:
win_eventlog,eventlog_name=Application,host=abcd.com,level=4 record_id=34287i,event_id=105i,description="Test event" 159421080000000000
win_eventlog,eventlog_name=System,host=abcd.com,level=4 record_id=12239i,event_id=7036i,description="Test winlog event"

Hi @utsah87 thanks for reporting, but I dont see such issue on my test vm
win_eventlog,eventlog_name=System,host=DESKTOP-RP3TODN,level=0 description="TestEvent526",rec ord_id=1733i,event_id=999i 1594241630000000000

[utsah87]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...
reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

Thanks for the reply. Am able to use this correctly now.
One more question is that we are getting the timestamp for application logs but not for System logs, is this as per design or need to be fixed. Below are set of data for both channels logs:
win_eventlog,eventlog_name=Application,host=abcd.com,level=4 record_id=34287i,event_id=105i,description="Test event" 159421080000000000
win_eventlog,eventlog_name=System,host=abcd.com,level=4 record_id=12239i,event_id=7036i,description="Test winlog event"

Hi @utsah87 thanks for reporting, but I dont see such issue on my test vm
win_eventlog,eventlog_name=System,host=DESKTOP-RP3TODN,level=0 description="TestEvent526",rec ord_id=1733i,event_id=999i 1594241630000000000

Hi @anuar45, not sure why but i am not able to see timestamps for system channel alerts only. have tried that on diff windows servers too. To let you know i am trying it on windows server 2012 R2, standard x64 edition.

[anuar45]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...
reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

Thanks for the reply. Am able to use this correctly now.
One more question is that we are getting the timestamp for application logs but not for System logs, is this as per design or need to be fixed. Below are set of data for both channels logs:
win_eventlog,eventlog_name=Application,host=abcd.com,level=4 record_id=34287i,event_id=105i,description="Test event" 159421080000000000
win_eventlog,eventlog_name=System,host=abcd.com,level=4 record_id=12239i,event_id=7036i,description="Test winlog event"

Hi @utsah87 thanks for reporting, but I dont see such issue on my test vm
win_eventlog,eventlog_name=System,host=DESKTOP-RP3TODN,level=0 description="TestEvent526",rec ord_id=1733i,event_id=999i 1594241630000000000

Hi @anuar45, not sure why but i am not able to see timestamps for system channel alerts only. have tried that on diff windows servers too. To let you know i am trying it on windows server 2012 R2, standard x64 edition.

Hi @utsah87, thank you. Let me test it on windows 2012 r2.

[utsah87]

@utsah87 It is already supported, for example to query for specific EventID you can use following config parameter xpath_query = "Event/System[EventID=999]" and so on...
reference https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

Thanks for the reply. Am able to use this correctly now.
One more question is that we are getting the timestamp for application logs but not for System logs, is this as per design or need to be fixed. Below are set of data for both channels logs:
win_eventlog,eventlog_name=Application,host=abcd.com,level=4 record_id=34287i,event_id=105i,description="Test event" 159421080000000000
win_eventlog,eventlog_name=System,host=abcd.com,level=4 record_id=12239i,event_id=7036i,description="Test winlog event"

Hi @utsah87 thanks for reporting, but I dont see such issue on my test vm
win_eventlog,eventlog_name=System,host=DESKTOP-RP3TODN,level=0 description="TestEvent526",rec ord_id=1733i,event_id=999i 1594241630000000000

Hi @anuar45, not sure why but i am not able to see timestamps for system channel alerts only. have tried that on diff windows servers too. To let you know i am trying it on windows server 2012 R2, standard x64 edition.

Hi @utsah87, thank you. Let me test it on windows 2012 r2.

Hi @anuar45 .. while retesting today the same scenario I noticed 1 thing, we are actually getting the timestamps too but then there is catch: in channel "System" , description picks the messages from param1 and param2, now what happens as descriptions clubs both the params the delimiter which comes between both is a new line charachter, therefore what we see is that param1 comes with description field, while param2 comes in a new line and has timestamp appended to it. So what needs to be fixed is to either pick on 1 param as description or to club both the params by comma ','.

[utsah87]

Hi @anuar45 . Apart above issue, i need to understand if we can make a xpath_query which is applicable for all the log channels i.e. if we can use eventlog_name = "*" instead of any particular channel name.

[anuar45]

Hi @anuar45 . Apart above issue, i need to understand if we can make a xpath_query which is applicable for all the log channels i.e. if we can use eventlog_name = "*" instead of any particular channel name.

Hi @utsah87, first of all thank you for you findings. I think will concatenate all log messages with space.

Regarding wildcard for eventlog_name, not sure this possible, but I will check.

[anuar45]

Hi @anuar45 . Apart above issue, i need to understand if we can make a xpath_query which is applicable for all the log channels i.e. if we can use eventlog_name = "*" instead of any particular channel name.

Hi @utsah87 . So I have added space between event data fields, now nothing should be truncated.
Regarding wildcard mask in xpath_query, I am afraid, this is not possible in win event api. But it is possible to use special query XML, where you can specify several sources https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events, in this case eventlog_name field will be ignored(use triple quote for xml '''XML''')

[utsah87]

Can you please give an example for how to use this after ignoring eventlog_name

[utsah87]

@anuar45 : Is there any possibility to have filter on the basis of Event Data or message of the event log.
Also can you please help with an example for below:
Alternatively it is possible to use special XML query documented here, in this case eventlog_name field will be ignored (use triple quote for xml in telegraf config file).

[anuar45]

Hi @utsah87, you can use the following config as reference, and i think it is also possible to filter on event data using it: [[inputs.win_eventlog]] ## Name of eventlog eventlog_name = "Application" xpath_query = ''' <QueryList> <Query Id="0"> <Select Path="Application"> *[System[(Level <= 3) and TimeCreated[timediff(@systemtime) <= 86400000]]] </Select> <Suppress Path="Application"> *[System[(Level = 2)]] </Suppress> <Select Path="System"> *[System[(Level=1 or Level=2 or Level=3) and TimeCreated[timediff(@systemtime) <= 86400000]]] </Select> </Query> </QueryList> ''' вт, 18 авг. 2020 г. в 09:58, utsah87 <notifications@github.com>:

…

***@***.**** commented on this pull request. ------------------------------ In plugins/inputs/win_eventlog/README.md <#7020 (comment)>: > @@ -11,6 +11,8 @@ Supports Windows Vista and higher. xpath_query = "Event/System[EventID=999]" ``` +Alternatively it is possible to use special XML query documented [here](https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events), in this case eventlog_name field will be ignored (use triple quote for xml in telegraf config file). + @anuar45 <https://github.com/anuar45> : Is there any possibility to have filter on the basis of Event Data or message of the event log. Also can you please help with an example for below: Alternatively it is possible to use special XML query documented here <https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events>, in this case eventlog_name field will be ignored (use triple quote for xml in telegraf config file). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#7020 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMIA7CL4AWCQXI25DW32P3SBIYAZANCNFSM4KUG2AJQ> .

[simnv]

Hello!

Another example of xpath_query:

  xpath_query = '''
  <QueryList>
    <Query Id="0" Path="Security">
      <Select Path="Security">*</Select>
      <Suppress Path="Security">*[System[( (EventID &gt;= 5152 and EventID &lt;= 5158) or EventID=5379 or EventID=4672)]]</Suppress>
    </Query>
    <Query Id="1" Path="Application">
      <Select Path="Application">*[System[(Level &lt; 4)]]</Select>
      <Select Path="OpenSSH/Admin">*[System[(Level &lt; 4)]]</Select>
      <Select Path="Windows PowerShell">*[System[(Level &lt; 4)]]</Select>
      <Select Path="Key Management Service">*[System[(Level &lt; 4)]]</Select>
      <Select Path="HardwareEvents">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="2" Path="Windows PowerShell">
      <Select Path="Windows PowerShell">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="3" Path="System">
      <Select Path="System">*</Select>
    </Query>
    <Query Id="4" Path="Setup">
      <Select Path="Setup">*</Select>
    </Query>
  </QueryList>
  '''

@anuar45 I think it is expected of you to add xml query example to README.md

@danielnelson What are the prospects of merging this PR? I have some additions, but can't add them without making additional pull request.

[anuar45]

Thank you all, but I found major issue in rendering events. There is special win api function which can format event data to full event message. I will update pr shortly.

[simnv]

@anuar45 I've created PR #8000 with your commits and my changes. Your commits are preserved in that PR and will be in git blame. I think it will be more productive to go with that version. Thank you very much for the initial work!

[anuar45]

@anuar45 I've created PR #8000 with your commits and my changes. Your commits are preserved in that PR and will be in git blame. I think it will be more productive to go with that version. Thank you very much for the initial work!

Thank you @simnv, that's the best thing that could happen to this piece of code.

PS. I also started go module anuar45/winlog, if you have interest you can take it also.

[sjwang90]

Closing this issue in favor of PR #8000. Thank you @anuar45 for all the great work so far for with this plugin and @simnv for pick it up!

[simnv]

PS. I also started go module anuar45/winlog, if you have interest you can take it also.

@anuar45 Looks like someone has beaten us to it: AtakanColak/gowinlog