in_winevtlog: Add descriptions about xml query for filtering events (#…

…1179) * in_winevtlog: Add a description for Event_Query parameter Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> * in_winevtlog: Add query languages descriptions for event_query parameter Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> * Update pipeline/inputs/windows-event-log-winevtlog.md Co-authored-by: Pat <pat@calyptia.com> Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> * Update the sentence of supported types of queries. Co-authored-by: Pat <pat@calyptia.com> Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> * Clearify the sentence that describes Event_Query parameter. Co-authored-by: Pat <pat@calyptia.com> Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> --------- Signed-off-by: Hiroshi Hatake <hatake@calyptia.com> Co-authored-by: Pat <pat@calyptia.com>
fluent · Jan 18, 2024 · 3ca8c3b · 3ca8c3b
1 parent fbb006e
commit 3ca8c3b
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pipeline/inputs/windows-event-log-winevtlog.md b/pipeline/inputs/windows-event-log-winevtlog.md
@@ -16,6 +16,7 @@ The plugin supports the following configuration parameters:
 | String\_Inserts | Whether to include StringInserts in output records. \(optional\) | True  |
 | Render\_Event\_As\_XML | Whether to render system part of event as XML string or not. \(optional\) | False  |
 | Use\_ANSI | Use ANSI encoding on eventlog messages. If you have issues receiving blank strings with old Windows versions (Server 2012 R2), setting this to True may solve the problem. \(optional\) | False  |
+| Event\_Query | Specify XML query for filtering events. | `*` |
 
 Note that if you do not set _db_, the plugin will tail channels on each startup.
 
@@ -39,6 +40,12 @@ Here is a minimum configuration example.
 
 Note that some Windows Event Log channels \(like `Security`\) requires an admin privilege for reading. In this case, you need to run fluent-bit as an administrator.
 
+#### Query Languages for Event_Query Parameter
+
+The `Event_Query` parameter can be used to specify the XML query for filtering Windows EventLog during collection.
+The supported query types are [XPath](https://developer.mozilla.org/en-US/docs/Web/XPath) and XML Query.
+For further details, please refer to [the MSDN doc](https://learn.microsoft.com/en-us/windows/win32/wes/consuming-events).
+
 ### Command Line
 
 If you want to do a quick test, you can run this plugin from the command line.