You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Using the winevntlog plugin, I want to be able to parse Windows Event Log for specific values (ex: Account Name from Failed Login (EventID=4625) which can found in the "message" field.
Parser.config
[PARSER]
Name winevntlog_parser
Format regex
Regex Account\s+For\s+Which\s+Logon\s+Failed:\s*.*\s*Account\s+Name:\s+(?<account_name>[^\s]+)
# Regex ^.*Account Name:\s+(?<account_name>\S+).*
Time_Key time
Time_Format %d/%b/%Y:%H:%M:%S %z
Fluent-bit.config
[SERVICE]
# Flush
# =====
# set an interval of seconds before to flush records to a destination
flush 5
# Daemon
# ======
# instruct Fluent Bit to run in foreground or background mode.
daemon Off
# Log_Level
# =========
# Set the verbosity level of the service, values can be:
#
# - error
# - warning
# - info
# - debug
# - trace
#
# by default 'info' is set, that means it includes 'error' and 'warning'.
log_level info
# Parsers File
# ============
# specify an optional 'Parsers' configuration file
parsers_file parsers.conf
# Plugins File
# ============
# specify an optional 'Plugins' configuration file to load external plugins.
plugins_file plugins.conf
# HTTP Server
# ===========
# Enable/Disable the built-in HTTP Server for metrics
http_server Off
http_listen 0.0.0.0
http_port 2020
# Storage
# =======
# Fluent Bit can use memory and filesystem buffering based mechanisms
#
# - https://docs.fluentbit.io/manual/administration/buffering-and-storage
#
# storage metrics
# ---------------
# publish storage pipeline metrics in '/api/v1/storage'. The metrics are
# exported only if the 'http_server' option is enabled.
#
storage.metrics on
# storage.path
# ------------
# absolute file system path to store filesystem data buffers (chunks).
#
# storage.path /tmp/storage
# storage.sync
# ------------
# configure the synchronization mode used to store the data into the
# filesystem. It can take the values normal or full.
#
# storage.sync normal
# storage.checksum
# ----------------
# enable the data integrity check when writing and reading data from the
# filesystem. The storage layer uses the CRC32 algorithm.
#
# storage.checksum off
# storage.backlog.mem_limit
# -------------------------
# if storage.path is set, Fluent Bit will look for data chunks that were
# not delivered and are still in the storage layer, these are called
# backlog data. This option configure a hint of maximum value of memory
# to use when processing these records.
#
# storage.backlog.mem_limit 5M
[INPUT]
Name winevtlog
Channels Security
Interval_Sec 1
DB winevtlog.sqlite
[FILTER]
Name parser
Match *
Key_Name message
Parser winevntlog_parser
Preserve_Key true
Reserve_Data true
[OUTPUT]
Name stdout
Match *
[OUTPUT]
Name es
Match *
Include_Tag_Key true
Tag_Key tags
tls On
tls.verify Off
Suppress_Type_Name On
cloud_id <redacted>
cloud_auth elastic:<redacted>
Index fluent-bit
Expected behavior
I would like to see the account name of the failed Login from the Windows Event Log, or any field really from the Event Log. Example in the above would be "Administrator". I've been dabbling with Lua as well, but can't seem to extract anything from this log and have the field show up in Elastic Cloud as an available field.
Screenshots
Your Environment
Windows Server 2022
Elastic Cloud
Version used:
Configuration:
Environment name and version (e.g. Kubernetes? What version?):
Server type and version:
Operating System and version:
Filters and plugins:
Fluentbit winevntog plugin
Additional context
The text was updated successfully, but these errors were encountered:
okbobm
changed the title
Unable to parse Windows Event Logs
Unable to parse Windows Event Logs from "Message" field using winevntlog plugin
Jun 28, 2024
okbobm
changed the title
Unable to parse Windows Event Logs from "Message" field using winevntlog plugin
Help Request: Unable to parse Windows Event Logs from "Message" field using winevntlog plugin
Jul 5, 2024
Bug Report
Describe the bug
Using the winevntlog plugin, I want to be able to parse Windows Event Log for specific values (ex: Account Name from Failed Login (EventID=4625) which can found in the "message" field.
To Reproduce
Regex: https://rubular.com/r/NNg5nwq2qc2mEI
Expected behavior
I would like to see the account name of the failed Login from the Windows Event Log, or any field really from the Event Log. Example in the above would be "Administrator". I've been dabbling with Lua as well, but can't seem to extract anything from this log and have the field show up in Elastic Cloud as an available field.
Screenshots
![image](https://private-user-images.githubusercontent.com/108097756/344202098-c9209fa2-3ea5-43d7-bbd3-ff02f147c7c8.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA1MzE2MjIsIm5iZiI6MTcyMDUzMTMyMiwicGF0aCI6Ii8xMDgwOTc3NTYvMzQ0MjAyMDk4LWM5MjA5ZmEyLTNlYTUtNDNkNy1iYmQzLWZmMDJmMTQ3YzdjOC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzA5JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwOVQxMzIyMDJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mMGNjOTUyNTZjY2E5MTNiYTc0NmI0MjljYTZjYzlkOGRhZDM4ZGVlZjQ5MGVjYzNiMjQxMWVjNzU5OTgyODczJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.ZOZlu_p8IGzVgQuSbnWTD5Rukv1fC12Fcqn_XwHcz8g)
Your Environment
Windows Server 2022
Elastic Cloud
Fluentbit winevntog plugin
Additional context
The text was updated successfully, but these errors were encountered: