fluent-bit: Windows Event Log input plugin doesn't pickup correct Event Log.
Bug Report
Describe the bug Attempting to use the winlog input plugin with a “Complex” (aka something like “Microsoft-Windows-Time-Service/Operational”) name fails to retrieve that log and instead transparently pulls up the “Application” event log instead.
To Reproduce
- Open Event Viewer (so you can either verify the log presented by fluent-bit, or use an alternative channel to test)
- Start fluent-bit with the following configuration. (In theory, everyone who is on Windows 10 should have this Time-Service log, if not, use any log in “Applications and Services\Microsoft” in the event viewer, replacing the channel name in the config with the “Full Name” of the log in the log’s properties.)
[SERVICE] Flush 5 Daemon yes Log_Level debug [INPUT] Name winlog Channels Microsoft-Windows-Time-Service/Operational Interval_Sec 1 [OUTPUT] Name stdout
- Observe that the logs outputted are actually the event logs from Application (Windows Logs\Application in Event Viewer)
- Observe that the logs in the pathed log are different (In this case, use Applications and Services\Microsoft\Time-Service\Operational.)
I have tried running this in Admin Mode (Ruling out the cause of transparent Permission Denied), that does not solve the issue.
Expected behavior The actual event logs are taken out and printed to stdout. In this case, it should just be mostly events relating to the Time Service (W32TimeSvc)
Screenshots
I’m attempting to get this log:
But I’m getting this as output:
This log seems to correspond to this event in Applications (which is the wrong one):
Your Environment
- Version used: 1.7.3
- Configuration:
[SERVICE] Flush 5 Daemon yes Log_Level debug [INPUT] Name winlog Channels Microsoft-Windows-Time-Service/Operational Interval_Sec 1 [OUTPUT] Name stdout
- Environment name and version (e.g. Kubernetes? What version?): Bare Metal Laptop
- Operating System and version: Windows 10, 64-bit, Version 2004 (19041.867)
- Filters and plugins: winlog input, stdout output.
Additional context I’m attempting to gather windows event logs to eventually get them to a file. The file part works so I’m not including that in my config. However, fundamentally it seems that fluent-bit is not gathering the correct logs (for this event log at least).
I’ve noticed in https://github.com/fluent/fluent-plugin-windows-eventlog, that there is a “windows_eventlog2” type for fluentd, which makes me think that there’s a newer API for windows to gather windows event logs.
I was wondering if there’s something equivalent over here on the fluent-bit side, and if so, something to point me in the right direction to it.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 2
- Comments: 25 (15 by maintainers)
I sent a PR to handle the new Windows EventLog plugin: https://github.com/fluent/fluent-bit/pull/4179
The old winlog plugin does not handle Applications and Services Logs. This is known issue. The new plugin will be able to fix it.
I also ran into this immediately on my first day trying out fluent bit.
My config is:
And indeed, the logs that are really in the
Microsoft-Windows-PowerShell/Operational
aren’t showing up in loki but the ones fromApplication
are now being mislabeled as coming fromMicrosoft-Windows-PowerShell/Operational
.I think support for the newer channels is very important, but until that is implemented there should probably be a restriction on the Channels config to only allow the classical channel names - because currently this just cuases confusion and frankly forwards broken/incorrect log data which is never good.
Avoid stale. Hopping for any update from fluent bit team 😃
Uping to avoid stale. Anyone else encounter this issue?
Plus 1 to closing
There is a newer windows API and I believe we are still using the old one. We might be able to add a better custom path with the old api - @cosmo0920 could you take a look next week?