Help Request: Unable to parse Windows Event Logs from "Message" field using winevntlog plugin

[okbobm]

Bug Report

Describe the bug
Using the winevntlog plugin, I want to be able to parse Windows Event Log for specific values (ex: Account Name from Failed Login (EventID=4625) which can found in the "message" field.

To Reproduce

• CMD> ProgramFiles\Bin: fluent-bit.exe ..\fluent-bit.config -i winevntlog -p channels=Security -p Read_Existing_Events=true -o stdout

Regex: https://rubular.com/r/NNg5nwq2qc2mEI

Parser.config
 [PARSER]
            Name        winevntlog_parser
            Format      regex
            Regex       Account\s+For\s+Which\s+Logon\s+Failed:\s*.*\s*Account\s+Name:\s+(?<account_name>[^\s]+)
            # Regex       ^.*Account Name:\s+(?<account_name>\S+).*
            Time_Key    time
            Time_Format %d/%b/%Y:%H:%M:%S %z

Fluent-bit.config
          [SERVICE]
              # Flush
              # =====
              # set an interval of seconds before to flush records to a destination
              flush        5
          
              # Daemon
              # ======
              # instruct Fluent Bit to run in foreground or background mode.
              daemon       Off
          
              # Log_Level
              # =========
              # Set the verbosity level of the service, values can be:
              #
              # - error
              # - warning
              # - info
              # - debug
              # - trace
              #
              # by default 'info' is set, that means it includes 'error' and 'warning'.
              log_level    info
          
              # Parsers File
              # ============
              # specify an optional 'Parsers' configuration file
              parsers_file parsers.conf
          
              # Plugins File
              # ============
              # specify an optional 'Plugins' configuration file to load external plugins.
              plugins_file plugins.conf
          
              # HTTP Server
              # ===========
              # Enable/Disable the built-in HTTP Server for metrics
              http_server  Off
              http_listen  0.0.0.0
              http_port    2020
          
              # Storage
              # =======
              # Fluent Bit can use memory and filesystem buffering based mechanisms
              #
              # - https://docs.fluentbit.io/manual/administration/buffering-and-storage
              #
              # storage metrics
              # ---------------
              # publish storage pipeline metrics in '/api/v1/storage'. The metrics are
              # exported only if the 'http_server' option is enabled.
              #
              storage.metrics on
          
              # storage.path
              # ------------
              # absolute file system path to store filesystem data buffers (chunks).
              #
              # storage.path /tmp/storage
          
              # storage.sync
              # ------------
              # configure the synchronization mode used to store the data into the
              # filesystem. It can take the values normal or full.
              #
              # storage.sync normal
          
              # storage.checksum
              # ----------------
              # enable the data integrity check when writing and reading data from the
              # filesystem. The storage layer uses the CRC32 algorithm.
              #
              # storage.checksum off
          
              # storage.backlog.mem_limit
              # -------------------------
              # if storage.path is set, Fluent Bit will look for data chunks that were
              # not delivered and are still in the storage layer, these are called
              # backlog data. This option configure a hint of maximum value of memory
              # to use when processing these records.
              #
              # storage.backlog.mem_limit 5M
          
          [INPUT]
              Name         winevtlog
              Channels     Security
              Interval_Sec 1
              DB           winevtlog.sqlite
          
          [FILTER]
              Name           parser
              Match          *
              Key_Name       message
              Parser         winevntlog_parser
              Preserve_Key   true
              Reserve_Data   true
          
          [OUTPUT]
              Name         stdout
              Match        *
              [OUTPUT]
                  Name es 
                  Match *
                  Include_Tag_Key true
                  Tag_Key tags
                  tls On
                  tls.verify Off
                  Suppress_Type_Name On
                  cloud_id <redacted>
                  cloud_auth elastic:<redacted>
                  Index fluent-bit

Expected behavior
I would like to see the account name of the failed Login from the Windows Event Log, or any field really from the Event Log. Example in the above would be "Administrator". I've been dabbling with Lua as well, but can't seem to extract anything from this log and have the field show up in Elastic Cloud as an available field.

Screenshots

Your Environment
Windows Server 2022
Elastic Cloud

• Version used:
• Configuration:
• Environment name and version (e.g. Kubernetes? What version?):
• Server type and version:
• Operating System and version:
• Filters and plugins:
  Fluentbit winevntog plugin

Additional context