fluent-plugin-windows-eventlog icon indicating copy to clipboard operation
fluent-plugin-windows-eventlog copied to clipboard

Published 20 hours ago verified publisher icon fluent

Issue with remote event subscription

Open Sjolus opened this issue 4 years ago • 1 comments

Hi,

I'm trying to write a config that queries a remote server for Windows Events. My config looks like this:

<source>
  @type windows_eventlog2
  @id windows_remote
  @log_level trace
  read_existing_events false
  read_interval 2
  tag winevt.remote
  rate_limit 200

  <storage>
    @type local
    persistent true
    path C:\opt\td-agent\winevt-remote.pos
  </storage>

 <subscribe>
   channels ["System"]
   read_existing_events false
   read_all_channels true
   remote_server web-01.<redacted>
   remote_domain <redacted>
   remote_username Administrator
   remote_password <redacted>
 </subscribe>
</source>

<match winevt.remote>
  @type stdout
</match>

And it seems as if no remote events are ever fetched. Instead, it seems to be getting local events for some reason, as per the following output from running this locally (the dc is the local machine running this in my testing environment):

2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: starting fluentd-1.11.2 pid=5592 ruby="2.7.1"
2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: spawn command to main:  cmdline=["C:/opt/td-agent/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/opt/td-agent/bin/fluentd", "-c", "etc\\td-agent\\td-agent.conf", "-v", "--under-supervisor"]
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding match pattern="winevt.remote" type="stdout"
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding source type="windows_eventlog2"
2020-11-09 18:04:57 +0000 [debug]: #0 fluent/log.rb:306:debug: No fluent logger for internal event
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_server' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_domain' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_username' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_password' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: starting fluentd worker pid=6612 ppid=5592 worker=0
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: fluentd worker is now running worker=0
2020-11-09 18:05:09.089322800 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:06.614689300","EventRecordID":"65701","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the stopped state.","EventData":["Print Spooler","stopped","?"]}
2020-11-09 18:05:09.094874500 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:07.937694400","EventRecordID":"65702","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the running state.","EventData":["Print Spooler","running","?"]}

Any advice as to how to proceed in troubleshooting this? I am not sure what those "parameter is not used" - maybe I have misconfigured something?

Sjolus avatar Nov 09 '20 18:11 Sjolus

Remote subscription needs to use fluent-plugin-windows-eventlog v0.8.0: https://github.com/fluent/fluent-plugin-windows-eventlog/commit/d9ab94dfd624bc66c6b8ffd45b21659b8021e87f

What the version did you use?

cosmo0920 avatar Nov 19 '20 12:11 cosmo0920