Windows Event Log (winevtlog)

The winevtlog input plugin allows you to read Windows Event Log with new API from winevt.h.

Configuration Parameters

The plugin supports the following configuration parameters:

KeyDescriptionDefault

Channels

A comma-separated list of channels to read from.

Interval_Sec

Set the polling interval for each channel. (optional)

1

Interval_NSec

Set the polling interval for each channel (sub seconds. (optional)

0

Read_Existing_Events

Whether to read existing events from head or tailing events at last on subscribing. (optional)

False

DB

Set the path to save the read offsets. (optional)

String_Inserts

Whether to include StringInserts in output records. (optional)

True

Render_Event_As_XML

Whether to render system part of event as XML string or not. (optional)

False

Use_ANSI

Use ANSI encoding on eventlog messages. If you have issues receiving blank strings with old Windows versions (Server 2012 R2), setting this to True may solve the problem. (optional)

False

Note that if you do not set db, the plugin will tail channels on each startup.

Configuration Examples

Configuration File

Here is a minimum configuration example.

[INPUT]
    Name         winevtlog
    Channels     Setup,Windows PowerShell
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name   stdout
    Match  *

Note that some Windows Event Log channels (like Security) requires an admin privilege for reading. In this case, you need to run fluent-bit as an administrator.

Command Line

If you want to do a quick test, you can run this plugin from the command line.

$ fluent-bit -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout

Note that winevtlog plugin will tail channles on each startup. If you want to confirm whether this plugin is working or not, you should specify -p 'Read_Existing_Events=true' parameter.

Last updated