# windows\_eventlog

The `in_windows_eventlog` Input plugin allows Fluentd to read events from the Windows Event Log.

## Installation

`in_windows_eventlog` is included in `td-agent` 3 MSI by default. Fluentd gem users will need to install the `fluent-plugin-windows-eventlog` gem using the following command:

```
$ fluent-gem install fluent-plugin-windows-eventlog
```

## Example Configuration

```
<source>
  @type windows_eventlog
  @id windows_eventlog
  channels application,system,security
  tag winevt.raw
  <storage>
    @type local
    persistent true
    path C:\opt\td-agent\winevt.pos
  </storage>
</source>
```

Refer to the [Configuration File](https://docs.fluentd.org/configuration/config-file) article for the basic structure and syntax of the configuration file.

### Event Example

`in_windows_eventlog` sets the corresponding channel to the `channel` field.

Here are some generated events:

```
# system
{"channel":"system","record_number":"40432","time_generated":"2017-03-07 09:15:39 +0000","time_written":"2017-03-07 09:15:39 +0000","event_id":"7036","event_type":"information","event_category":"0","source_name":"Service Control Manager","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"The Windows Installer service entered the stopped state.\r\n"}
# security
{"channel":"security","record_number":"26735","time_generated":"2017-03-07 09:14:43 +0000","time_written":"2017-03-07 09:14:43 +0000","event_id":"4726","event_type":"audit_success","event_category":"13824","source_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"A user account was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\tLogon ID:\t\t0x39e29\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-1004\r\n\tAccount Name:\t\tabc\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\r\nAdditional Information:\r\n\tPrivileges\t-\r\n"}
```

## Plugin Helpers

* [`timer`](https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-timer)
* [`storage`](https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-storage)

## Parameters

See [Common Parameters](https://docs.fluentd.org/configuration/plugin-common-parameters).

### `@type` (required)

The value must be `windows_eventlog`.

### `tag` (required)

The tag of the event.

### `channels`

The event log channels to read.

Multiple channels can be specified, separated by comma `,` or array type:

```
# , separated
channels application,system,security

# array
channels ["application", "system", "security"]
```

Default: `["application"]`

### `read_interval`

The interval of reading the Windows Event log.

Default: `2` seconds

### `<storage>`

`<storage>` section is the configuration for storage plugin. `in_windows_eventlog` plugin uses storage plugin for recording the position it last read from.

By default, the local file is used. If you want to use on memory storage, set `persistent false`.

```
<storage>
  persistent false
</storage>
```

If you set `root_dir` in `<section>` and set `@id` in the plugin configuration, the `path` parameter is automatically generated. If not, you need to set `path` in `<storage>` section.

```
<storage>
  persistent true
  path C:\opt\td-agent\winevt.pos # This is required when persistent is true.
                                  # Or, use <system> section's root_dir parameter.      
</storage>
```

## Learn More

* [Input Plugin Overview](https://docs.fluentd.org/input)

## FAQ

### `in_windows_eventlog` can't read `setup` or `security` events, why?

You need administrator privileges to read these channels. Launch `fluentd`/`td-agent` as an administrator.

## Further Reading

This page does not describe all the possible configurations. If you want to know about other configurations, please check the link below:

* [`fluent-plugin-windows-eventlog`](https://github.com/fluent/fluent-plugin-windows-eventlog)

If this article is incorrect or outdated, or omits critical information, please [let us know](https://github.com/fluent/fluentd-docs-gitbook/issues?state=open). [Fluentd](http://www.fluentd.org/) is an open-source project under [Cloud Native Computing Foundation (CNCF)](https://cncf.io/). All components are available under the Apache 2 License.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fluentd.org/input/windows_eventlog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.