Skip to content

Commit

Permalink
Merge pull request #98 from daipom/readme-separate-old-version-descri…
Browse files Browse the repository at this point in the history 
…ption

README: Separate description about old version into another file
  • Loading branch information
@ashie
ashie committed Apr 28, 2023
2 parents d39ecbd + 8550571 commit 9e191ab
Show file tree
Hide file tree
Showing 2 changed files with 136 additions and 123 deletions.
139 changes: 16 additions & 123 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,131 +6,24 @@

[Fluentd](https://www.fluentd.org/) plugin to read the Windows Event Log.

## Installation
ridk exec gem install fluent-plugin-windows-eventlog

## Configuration

### in_windows_eventlog

Check [in_windows_eventlog2](https://github.com/fluent/fluent-plugin-windows-eventlog#in_windows_eventlog2) first. `in_windows_eventlog` will be replaced with `in_windows_eventlog2`.

fluentd Input plugin for the Windows Event Log using old Windows Event Logging API

<source>
@type windows_eventlog
@id windows_eventlog
channels application,system
read_interval 2
tag winevt.raw
<storage>
@type local # @type local is the default.
persistent true # default is true. Set to false to use in-memory storage.
path ./tmp/storage.json # This is required when persistent is true.
# Or, please consider using <system> section's `root_dir` parameter.
</storage>
</source>
This repository contains 2 Fluentd plugins:

#### parameters
* in_windows_eventlog
* in_windows_eventlog2

|name | description |
|:----- |:----- |
|`channels` | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
|`keys` | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
|`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
|`from_encoding` | (option) Input character encoding. `nil` as default.|
|`encoding` | (option) Output character encoding. `nil` as default.|
|`read_from_head` | (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
|`<storage>` | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
|`parse_description`| (option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed|
The former one is obsolete, please don't use in newly deployment.

##### Available keys
This document describes about the later one.
If you want to know about the obsolete one, please see [in_windows_eventlog(old).md](in_windows_eventlog(old).md)

This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.

|key|
|:----- |
|`record_number` |
|`time_generated`|
|`time_written` |
|`event_id` |
|`event_type` |
|`event_category`|
|`source_name` |
|`computer_name` |
|`user` |
|`description` |
|`string_inserts`|

##### `parse_description` details

Here is an example with `parse_description true`.

```
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
"string_inserts": [
"Administrator",
"TEST",
"S-XXX-YYY-ZZZ",
"S-XXX",
"TEST$",
"WORKGROUP",
"0x3e7",
"0x7dc",
"C:\\Windows\\System32\\LogonUI.exe"
]
}
```

This record is transformed to

```
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description_title": "A user's local group membership was enumerated.",
"subject.security_id": "S-XXX",
"subject.account_name": "TEST$",
"subject.account_domain": "WORKGROUP",
"subject.logon_id": "0x3e7",
"user.security_id": "S-XXX-YYY-ZZZ",
"user.account_name": "Administrator",
"user.account_domain": "TEST",
"process_information.process_id": "0x7dc",
"process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
}
```

NOTE: This feature assumes `description` field has following formats:

- group delimiter: `\r\n\r\n`
- record delimiter: `\r\n\t`
- field delimiter: `\t\t`
## Installation
ridk exec gem install fluent-plugin-windows-eventlog

If your `description` doesn't follow this format, the parsed result is only `description_title` field with same `description` content.
## in_windows_eventlog2

### in_windows_eventlog2
Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to [in_windows_eventlog](in_windows_eventlog(old).md). See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.

fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to `in_windows_eventlog`. See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
## Configuration

<source>
@type windows_eventlog2
Expand Down Expand Up @@ -178,7 +71,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging

**NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).

#### parameters
### parameters

|name | description |
|:----- |:----- |
Expand All @@ -200,7 +93,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
|`event_query`|(option) It specifies query for deny/allow/filter events with XPath 1.0 or structured XML query. Default is `"*"` (retrieving all events).|
|`<subscribe>` | Setting for subscribe channels. |

##### subscribe section
#### subscribe section

|name | description |
|:----- |:----- |
Expand Down Expand Up @@ -246,7 +139,7 @@ This configuration can be handled as:
* "Application" and "Security" channels just tailing
* "HardwareEvent" channel read existing events before launching Fluentd

###### Remoting access
##### Remoting access

`<subscribe>` section supports remoting access parameters:

Expand All @@ -273,7 +166,7 @@ As a security best practices, remoting access account _should not be administrat

For graphical instructions, please refer to [Preconfigure a Machine to Collect Remote Windows Events | Sumo Logic](https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Remote-Windows-Event-Log-Source/Preconfigure-a-Machine-to-Collect-Remote-Windows-Events) document for example.

##### Available keys
#### Available keys

This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.

Expand All @@ -300,7 +193,7 @@ This plugin reads the following fields from Windows Event Log entries. Use the `
|`Description` |
|`EventData` |

##### `parse_description` details
#### `parse_description` details

Here is an example with `parse_description true`.

Expand Down
120 changes: 120 additions & 0 deletions in_windows_eventlog(old).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
# in_windows_eventlog (old)

This is a document about `in_windows_eventlog`, which is the old version of `in_windows_eventlog2`.

Please use `in_windows_eventlog2` since this will be replaced with it.

## Configuration

fluentd Input plugin for the Windows Event Log using old Windows Event Logging API

<source>
@type windows_eventlog
@id windows_eventlog
channels application,system
read_interval 2
tag winevt.raw
<storage>
@type local # @type local is the default.
persistent true # default is true. Set to false to use in-memory storage.
path ./tmp/storage.json # This is required when persistent is true.
# Or, please consider using <system> section's `root_dir` parameter.
</storage>
</source>

### parameters

|name | description |
|:----- |:----- |
|`channels` | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
|`keys` | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
|`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
|`from_encoding` | (option) Input character encoding. `nil` as default.|
|`encoding` | (option) Output character encoding. `nil` as default.|
|`read_from_head` | (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
|`<storage>` | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
|`parse_description`| (option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed|

### Available keys

This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.

|key|
|:----- |
|`record_number` |
|`time_generated`|
|`time_written` |
|`event_id` |
|`event_type` |
|`event_category`|
|`source_name` |
|`computer_name` |
|`user` |
|`description` |
|`string_inserts`|

### `parse_description` details

Here is an example with `parse_description true`.

```
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
"string_inserts": [
"Administrator",
"TEST",
"S-XXX-YYY-ZZZ",
"S-XXX",
"TEST$",
"WORKGROUP",
"0x3e7",
"0x7dc",
"C:\\Windows\\System32\\LogonUI.exe"
]
}
```

This record is transformed to

```
{
"channel": "security",
"record_number": "91698",
"time_generated": "2017-08-29 20:12:29 +0000",
"time_written": "2017-08-29 20:12:29 +0000",
"event_id": "4798",
"event_type": "audit_success",
"event_category": "13824",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "TEST",
"user": "",
"description_title": "A user's local group membership was enumerated.",
"subject.security_id": "S-XXX",
"subject.account_name": "TEST$",
"subject.account_domain": "WORKGROUP",
"subject.logon_id": "0x3e7",
"user.security_id": "S-XXX-YYY-ZZZ",
"user.account_name": "Administrator",
"user.account_domain": "TEST",
"process_information.process_id": "0x7dc",
"process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
}
```

NOTE: This feature assumes `description` field has following formats:

- group delimiter: `\r\n\r\n`
- record delimiter: `\r\n\t`
- field delimiter: `\t\t`

If your `description` doesn't follow this format, the parsed result is only `description_title` field with same `description` content.

0 comments on commit 9e191ab

Please sign in to comment.