fluent-plugin-windows-eventlog

Component

fluentd Input plugin for the Windows Event Log

Fluentd plugin to read the Windows Event Log.

Installation

ridk exec gem install fluent-plugin-windows-eventlog

Configuration

in_windows_eventlog

Check in_windows_eventlog2 first. in_windows_eventlog will be replaced with in_windows_eventlog2.

fluentd Input plugin for the Windows Event Log using old Windows Event Logging API

<source>
  @type windows_eventlog
  @id windows_eventlog
  channels application,system
  read_interval 2
  tag winevt.raw
  <storage>
    @type local             # @type local is the default.
    persistent true         # default is true. Set to false to use in-memory storage.
    path ./tmp/storage.json # This is required when persistent is true.
                            # Or, please consider using <system> section's `root_dir` parameter.
  </storage>
</source>

parameters

name	description
`channels`	(option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.
`keys`	(option) A subset of keys to read. Defaults to all keys.
`read_interval`	(option) Read interval in seconds. 2 seconds as default.
`from_encoding`	(option) Input character encoding. `nil` as default.
`encoding`	(option) Output character encoding. `nil` as default.
`read_from_head`	(option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.
`<storage>`	Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.
`parse_description`	(option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed

Available keys

This plugin reads the following fields from Windows Event Log entries. Use the keys configuration option to select a subset. No other customization is allowed for now.

key
`record_number`
`time_generated`
`time_written`
`event_id`
`event_type`
`event_category`
`source_name`
`computer_name`
`user`
`description`
`string_inserts`

`parse_description` details

Here is an example with parse_description true.

{
  "channel": "security",
  "record_number": "91698",
  "time_generated": "2017-08-29 20:12:29 +0000",
  "time_written": "2017-08-29 20:12:29 +0000",
  "event_id": "4798",
  "event_type": "audit_success",
  "event_category": "13824",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "computer_name": "TEST",
  "user": "",
  "description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
  "string_inserts": [
    "Administrator",
    "TEST",
    "S-XXX-YYY-ZZZ",
    "S-XXX",
    "TEST$",
    "WORKGROUP",
    "0x3e7",
    "0x7dc",
    "C:\\Windows\\System32\\LogonUI.exe"
  ]
}

This record is transformed to

{
  "channel": "security",
  "record_number": "91698",
  "time_generated": "2017-08-29 20:12:29 +0000",
  "time_written": "2017-08-29 20:12:29 +0000",
  "event_id": "4798",
  "event_type": "audit_success",
  "event_category": "13824",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "computer_name": "TEST",
  "user": "",
  "description_title": "A user's local group membership was enumerated.",
  "subject.security_id": "S-XXX",
  "subject.account_name": "TEST$",
  "subject.account_domain": "WORKGROUP",
  "subject.logon_id": "0x3e7",
  "user.security_id": "S-XXX-YYY-ZZZ",
  "user.account_name": "Administrator",
  "user.account_domain": "TEST",
  "process_information.process_id": "0x7dc",
  "process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
}

NOTE: This feature assumes description field has following formats:

group delimiter: \r\n\r\n
record delimiter: \r\n\t
field delimiter: \t\t

If your description doesn't follow this format, the parsed result is only description_title field with same description content.

in_windows_eventlog2

fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to in_windows_eventlog. See also this slide for the details of in_windows_eventlog2 plugin.

<source>
  @type windows_eventlog2
  @id windows_eventlog2
  channels application,system # Also be able to use `<subscribe>` directive.
  read_existing_events false
  read_interval 2
  tag winevt.raw
  render_as_xml false       # default is false.
  rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
  # preserve_qualifiers_on_hash true # default is false.
  # read_all_channels false # default is false.
  # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
  # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
  # event_query "Event/System[EventID!=1001]" # default is "*".
  <storage>
    @type local             # @type local is the default.
    persistent true         # default is true. Set to false to use in-memory storage.
    path ./tmp/storage.json # This is required when persistent is true. If migrating from eventlog v1 please ensure that you remove the old .pos folder
                            # Or, please consider using <system> section's `root_dir` parameter.
  </storage>
  # <parse> # Note: parsing is only available when render_as_xml true
  #  @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
    # When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys.
    # When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers".
    # With the following equation:
    # (EventID & 0xffff) | (Qualifiers & 0xffff) << 16
    # preserve_qualifiers true # preserve_qualifiers_on_hash can be used as a setting outside <parse> if render_as_xml is false
  # </parse>
  # <subscribe>
  #   channles application, system
  #   read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
  #   remote_server 127.0.0.1 # Remote server ip/fqdn
  #   remote_domain WORKGROUP # Domain name
  #   remote_username fluentd # Remoting access account name
  #   remote_password changeme! # Remoting access account password
  # </subscribe>
</source>

NOTE: in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.

NOTE: When Description contains error message such as The message resource is present but the message was not found in the message table., eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.

NOTE: When render_as_xml as true, fluent-plugin-parser-winevt_xml plugin should be needed to parse XML rendered Windows EventLog string.

NOTE: If you encountered CPU spike due to massively huge EventLog channel, rate_limit parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(Winevt::EventLog::Subscribe::RATE_INFINITE).

parameters

name	description
`channels`	(option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'} and other evtx, which is the brand new Windows XML Event Log (EVTX) format since Windows Vista, formatted channels. Theoritically, `in_windows_ventlog2` may read all of channels except for debug and analytical typed channels. If you want to read 'setup' or 'security' logs or some privileged channels, you must launch fluentd with administrator privileges.
`keys`	(option) A subset of keys to read. Defaults to all keys.
`read_interval`	(option) Read interval in seconds. 2 seconds as default.
`from_encoding`	(option) Input character encoding. `nil` as default.
`<storage>`	Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.
`<parse>`	Setting for `parser` plugin for parsing raw XML EventLog records.
`parse_description`	(option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed
`read_from_head`	Deprecated (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.
`read_existing_events`	(option) Read the entries which already exist before fluentd is started. Defaults to `false`.
`render_as_xml`	(option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.
`rate_limit`	(option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.
`preserve_qualifiers_on_hash`	(option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.
`read_all_channels`	(option) Read from all channels. Default is `false`
`description_locale`	(option) Specify description locale. Default is `nil`. See also: Supported locales
`refresh_subscription_interval`	(option) It specifies refresh interval for channel subscriptions. Default is `nil`.
`event_query`	(option) It specifies query for deny/allow/filter events with XPath 1.0 or structured XML query. Default is `"*"` (retrieving all events).
`<subscribe>`	Setting for subscribe channels.

subscribe section

name	description
`channels`	One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.
`read_existing_events`	(option) Read the entries which already exist before fluentd is started. Defaults to `false`.
`remote_server`	(option) Remoting access server ip address/fqdn. Defaults to `nil`.
`remote_domain`	(option) Remoting access server joining domain name. Defaults to `nil`.
`remote_username`	(option) Remoting access access account's username. Defaults to `nil`.
`remote_password`	(option) Remoting access access account's password. Defaults to `nil`.

Motivation: subscribe directive is designed for applying read_existing_events each of channels which is specified in subscribe section(s).

e.g) The previous configuration can handle read_existing_events but this parameter only specifies read_existing_events or not for channels which are specified in channels.

channels ["Application", "Security", "HardwareEvents"]
read_existing_events true

is interpreted as "Application", "Security", and "HardwareEvents" should be read existing events.

But some users want to configure to:

"Application" and "Security" channels just tailing
"HardwareEvent" channel read existing events before launching Fluentd

With <subscribe> directive, this requirements can be represendted as:

<subscribe>
  channels ["Application", "Security"]
  # read_existing_events false
</subscribe>
<subscribe>
  channels ["HardwareEvent"]
  read_existing_events true
</subscribe>

This configuration can be handled as:

"Application" and "Security" channels just tailing
"HardwareEvent" channel read existing events before launching Fluentd

Remoting access

<subscribe> section supports remoting access parameters:

remote_server
remote_domain
remote_username
remote_password

These parameters are only in <subscribe> directive.

Note that before using this feature, remoting access users should belong to "Event Log Readers" group:

> net localgroup "Event Log Readers" <domain\username> /add

And then, users also should set up their remote box's Firewall configuration:

> netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

As a security best practices, remoting access account should not be administrator account.

For graphical instructions, please refer to Preconfigure a Machine to Collect Remote Windows Events | Sumo Logic document for example.