Versions | v0.14 (td-agent3)

This page is for v0.14, not the latest stable version which is v0.12. For the latest stable version of this article, click here.


windows_eventlog Input Plugin

The in_windows_eventlog Input plugin allows Fluentd to read events from the Windows Event Log.

Table of Contents

Installation

in_windows_eventlog is included in td-agent 3 msi by default. Fluentd gem users will need to install the fluent-plugin-windows-eventlog gem using the following command.

$ fluent-gem install fluent-plugin-windows-eventlog

Example Configuration

<source>
  @type windows_eventlog
  @id windows_eventlog
  channels application,system,security
  tag winevt.raw
  <storage>
    @type local
    persistent true
    path C:\opt\td-agent\winevt.pos
  </storage>
</source>
Please see the Config File article for the basic structure and syntax of the configuration file.

Event example

Here are generated event examples. in_windows_eventlog set corresponding channel to channel field.

# system
{"channel":"system","record_number":"40432","time_generated":"2017-03-07 09:15:39 +0000","time_written":"2017-03-07 09:15:39 +0000","event_id":"7036","event_type":"information","event_category":"0","source_name":"Service Control Manager","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"The Windows Installer service entered the stopped state.\r\n"}
# security
{"channel":"security","record_number":"26735","time_generated":"2017-03-07 09:14:43 +0000","time_written":"2017-03-07 09:14:43 +0000","event_id":"4726","event_type":"audit_success","event_category":"13824","source_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-7IMHK7EQ5T3","user":"","description":"A user account was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\tLogon ID:\t\t0x39e29\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1367273608-854253166-2945741587-1004\r\n\tAccount Name:\t\tabc\r\n\tAccount Domain:\t\tWIN-7IMHK7EQ5T3\r\n\r\nAdditional Information:\r\n\tPrivileges\t-\r\n"}

Parameters

@type (required)

The value must be windows_eventlog.

tag (required)

The tag of the event.

channels

The event log channels to read. Multiple channels can be specified, separated by ‘' or array type

# , separated
channels application,system,security
# array
channels ["application", "system", "security"]

Default is ["application"].

read_interval

The interval of reading windowd event log. Default is 2 seconds.

<storage>

<storage> section is the configuration for storage plugin. in_windows_eventlog plugin uses storage plugin for recording the position it last read into this file.

The default is using local file. If you want to use on memory storage, set persistent false.

<storage>
  persistent false
</storage>

If you set root_dir in <section> and set @id in plugin configuration, path parameter is automatically generated. If not, you need to set path in <storage> section.

<storage>
  persistent true
  path C:\opt\td-agent\winevt.pos # This is required when persistent is true.
                                  # Or, use <system> section's root_dir parameter.      
</storage>

FAQ

in_windows_eventlog can’t read setup or security events, why?

You need administrator privilege to read these channels. Launch fluentd/td-agent as an administrator.

Further Reading

This page doesn’t describe all the possible configurations. If you want to know about other configurations, please check the link below.

Last updated: 2017-03-08 14:30:26 UTC

Versions | v0.14 (td-agent3)

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF), originally invented by Treasure Data, Inc. All components are available under the Apache 2 License.

Interested in the Fluentd Newsletters?