The in_windows_eventlog Input plugin allows Fluentd to read events from the Windows Event Log.

Installation

in_windows_eventlog is included in td-agent 3 MSI by default. Fluentd gem users will need to install the fluent-plugin-windows-eventlog gem using the following command:

$ fluent-gem install fluent-plugin-windows-eventlog

Example Configuration

<source>
  @type windows_eventlog
  @id windows_eventlog
  channels application,system,security
  tag winevt.raw
  <storage>
    @type local
    persistent true
    path C:\opt\td-agent\winevt.pos
  </storage>
</source>

Refer to the Configuration File article for the basic structure and syntax of the configuration file.

Event Example

in_windows_eventlog sets the corresponding channel to the channel field.

Here are some generated events:

# system
{"channel":"system","record_number":"40432","time_generated":"2017-03-07 09:15:39 +0000","time_written":"2017-03-07 09:15:39 +0000","event_id":"7036","event_type":"information","event_category":"0","source_name":"Service Control Manager","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"The Windows Installer service entered the stopped state.\r\n"}
# security
{"channel":"security","record_number":"26735","time_generated":"2017-03-07 09:14:43 +0000","time_written":"2017-03-07 09:14:43 +0000","event_id":"4726","event_type":"audit_success","event_category":"13824","source_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"A user account was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\tLogon ID:\t\t0x39e29\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-1004\r\n\tAccount Name:\t\tabc\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\r\nAdditional Information:\r\n\tPrivileges\t-\r\n"}

Plugin Helpers

• timer

• storage

Parameters

See Common Parameters.

@type (required)

The value must be windows_eventlog.

tag (required)

The tag of the event.

channels

The event log channels to read.

Multiple channels can be specified, separated by comma , or array type:

# , separated
channels application,system,security

# array
channels ["application", "system", "security"]

Default: ["application"]

read_interval

The interval of reading the Windows Event log.

Default: 2 seconds

<storage>

<storage> section is the configuration for storage plugin. in_windows_eventlog plugin uses storage plugin for recording the position it last read from.

By default, the local file is used. If you want to use on memory storage, set persistent false.

<storage>
  persistent false
</storage>

If you set root_dir in <section> and set @id in the plugin configuration, the path parameter is automatically generated. If not, you need to set path in <storage> section.

<storage>
  persistent true
  path C:\opt\td-agent\winevt.pos # This is required when persistent is true.
                                  # Or, use <system> section's root_dir parameter.      
</storage>

Learn More

• Input Plugin Overview

FAQ

in_windows_eventlog can't read setup or security events, why?

You need administrator privileges to read these channels. Launch fluentd/td-agent as an administrator.

Further Reading

This page does not describe all the possible configurations. If you want to know about other configurations, please check the link below:

• fluent-plugin-windows-eventlog

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.