fluent-bit icon indicating copy to clipboard operation
fluent-bit copied to clipboard

Published 20 hours ago verified publisher icon fluent

Impossible to filter Windows logs by EventID using grep filter

Open qmonitoring opened this issue 1 year ago • 6 comments

Bug Report

Describe the bug It is impossible to filter Windows logs by EventID using grep filter.

To Reproduce Simple configuration to reproduce the issue:

[INPUT]
    Name               winlog
    Channels           Windows PowerShell
    Tag                win
    Interval_Sec       1
    
[FILTER]
    Name              grep
    Match             win
    Exclude           EventID 800    

[OUTPUT]
    Name              file
    Match             win
    Path              .\logs\

Expected behavior Successful filtering by EventID using grep filter.

Your Environment OS: Win 10 Pro 10.0.19041 FluentBit: fluent-bit-2.0.9-win64

Additional context Related issue: https://github.com/fluent/fluent-bit/issues/6284

qmonitoring avatar Apr 25 '23 19:04 qmonitoring

This comes up fairly often I think - the issue is that grep requires a string field but event ID is numeric. The workaround is to convert the event ID to a string (e.g. via a LUA filter).

Initially I think we should at least update the docs section for grep to add a faq for it: https://github.com/fluent/fluent-bit-docs/blob/master/pipeline/filters/grep.md

@qmonitoring if you can please submit a PR for the docs change and I can review/merge?

patrick-stephens avatar Apr 26 '23 09:04 patrick-stephens

I'm not sure if it's not documented because it's been deprecated or just because it's missing but we have the type_converter filter which accepts the following settings :

  • int_key
  • uint_key
  • float_key
  • str_key

And all of them follow the same pattern (eg. uint_key EventID event_id string) which means you need to specify the source member name, the destination member name and the desired data type.

I'd take it with a pinch of salt but at least I'd give it a try.

leonardo-albertovich avatar Apr 26 '23 13:04 leonardo-albertovich

This is a document about type_converter. https://github.com/fluent/fluent-bit-docs/blob/master/pipeline/filters/type-converter.md

However it is missing on https://docs.fluentbit.io/manual/pipeline/filters ...

nokute78 avatar May 14 '23 11:05 nokute78

I implemented a different approach to filter unnecessary events when consuming events with in_winevtlog plugin: https://github.com/fluent/fluent-bit/pull/7848

cosmo0920 avatar Aug 22 '23 06:08 cosmo0920

Same issue here I've tried a ton of things from modify to grep and even trying to use strings in the message. I just think that the winlog source can't use an additional filter it seems.

umpa385 avatar Apr 24 '24 14:04 umpa385

I found a fix for the issue atleast for myself.

here is an example

[Filter] name grep match * Exclude Message /enter regex here/

umpa385 avatar May 01 '24 19:05 umpa385