From 94fb1cb420645d1c0f65d9887a65a7fe3e2579dd Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Mon, 11 Oct 2021 18:45:11 +0900 Subject: [PATCH] winevtlog: Add docs Signed-off-by: Hiroshi Hatake --- .gitbook.yaml | 1 + SUMMARY.md | 1 + installation/sources/build-and-install.md | 1 + .../inputs/windows-event-log-winevtlog.md | 51 +++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 pipeline/inputs/windows-event-log-winevtlog.md diff --git a/.gitbook.yaml b/.gitbook.yaml index 54e3d73be..72d0e180b 100644 --- a/.gitbook.yaml +++ b/.gitbook.yaml @@ -28,6 +28,7 @@ redirects: input/tcp: ./pipeline/inputs/tcp.md input/thermal: ./pipeline/inputs/thermal.md input/winlog: ./pipeline/inputs/windows-event-log.md + input/winevtlog: ./pipeline/inputs/windows-event-log-winevtlog.md # Filters filter/aws: ./pipeline/filters/aws-metadata.md diff --git a/SUMMARY.md b/SUMMARY.md index 64823d148..cc939d22e 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -101,6 +101,7 @@ * [TCP](pipeline/inputs/tcp.md) * [Thermal](pipeline/inputs/thermal.md) * [Windows Event Log](pipeline/inputs/windows-event-log.md) + * [Windows Event Log (winevtlog)](pipeline/inputs/windows-event-log-winevtlog.md) * [Parsers](pipeline/parsers/README.md) * [JSON](pipeline/parsers/json.md) * [Regular Expression](pipeline/parsers/regular-expression.md) diff --git a/installation/sources/build-and-install.md b/installation/sources/build-and-install.md index f08979a9f..6dd47bd7c 100644 --- a/installation/sources/build-and-install.md +++ b/installation/sources/build-and-install.md @@ -129,6 +129,7 @@ The _input plugins_ provides certain features to gather information from a speci | [FLB\_IN\_TCP](../../pipeline/inputs/tcp.md) | Enable TCP input plugin | On | | [FLB\_IN\_THERMAL](../../pipeline/inputs/thermal.md) | Enable system temperature\(s\) input plugin | On | | [FLB\_IN\_WINLOG](../../pipeline/inputs/windows-event-log.md) | Enable Windows Event Log input plugin \(Windows Only\) | On | +| [FLB\_IN\_WINEVTLOG](../../pipeline/inputs/windows-event-log-winevtlog.md) | Enable Windows Event Log input plugin using winevt.h API \(Windows Only\) | On | ### Filter Plugins diff --git a/pipeline/inputs/windows-event-log-winevtlog.md b/pipeline/inputs/windows-event-log-winevtlog.md new file mode 100644 index 000000000..053104212 --- /dev/null +++ b/pipeline/inputs/windows-event-log-winevtlog.md @@ -0,0 +1,51 @@ +# Windows Event Log (winevtlog) + +The **winevtlog** input plugin allows you to read Windows Event Log with new API from `winevt.h`. + +## Configuration Parameters + +The plugin supports the following configuration parameters: + +| Key | Description | Default | +| :--- | :--- | :--- | +| Channels | A comma-separated list of channels to read from. | | +| Interval\_Sec | Set the polling interval for each channel. \(optional\) | 1 | +| Interval\_NSec | Set the polling interval for each channel (sub seconds. \(optional\) | 0 | +| Read\_Existing\_Events | Whether to read existing events from head or tailing events at last on subscribing. \(optional\) | False | +| DB | Set the path to save the read offsets. \(optional\) | | +| String\_Inserts | Whether to include StringInserts in output records. \(optional\) | False | +| Render\_Event\_As\_XML | Whether to render system part of event as XML string or not. \(optional\) | False | +| Use\_ANSI | Use ANSI encoding on eventlog messages. \(optional\) | False | + +Note that if you do not set _db_, the plugin will tail channels on each startup. + +## Configuration Examples + +### Configuration File + +Here is a minimum configuration example. + +```python +[INPUT] + Name winevtlog + Channels Setup,Windows PowerShell + Interval_Sec 1 + DB winevtlog.sqlite + +[OUTPUT] + Name stdout + Match * +``` + +Note that some Windows Event Log channels \(like `Security`\) requires an admin privilege for reading. In this case, you need to run fluent-bit as an administrator. + +### Command Line + +If you want to do a quick test, you can run this plugin from the command line. + +```bash +$ fluent-bit -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout +``` + +Note that `winevtlog` plugin will tail channles on each startup. +If you want to confirm whether this plugin is working or not, you should specify `-p 'Read_Existing_Events=true'` parameter.