vector icon indicating copy to clipboard operation
vector copied to clipboard
verified publisher icon vectordotdev

feat(new source): Add Windows Event Log source

Open tot19 opened this issue 4 weeks ago • 1 comments

Summary

Add a new windows_event_log source that collects logs from Windows Event Log channels using the native Windows Event Log API (EvtSubscribe).

Key features:

  • Real-time event-driven subscriptions using EvtSubscribe API with callbacks
  • Support for multiple channels (System, Application, Security, and 140+ specialized channels)
  • XPath query filtering for server-side selective event collection
  • Checkpoint persistence for reliable resumption after restarts
  • End-to-end acknowledgment support for at-least-once delivery guarantees
  • Configurable rate limiting and field truncation
  • Security hardening against XPath injection and resource exhaustion

Vector configuration

[sources.windows_events] type = "windows_event_log" channels = ["Application", "System", "Security"] read_existing_events = true events_per_second = 100 max_event_data_length = 1000

[sinks.console] type = "console" inputs = ["windows_events"] encoding.codec = "json"

How did you test this PR?

  • Comprehensive PowerShell test suite on Windows Server 2022 covering:
    • Basic event collection (new events only)
    • Reading existing events
    • Checkpoint persistence across restarts
    • Rate limiting
    • XPath query filtering (severity, time-based)
    • Event ID filtering (whitelist/blacklist)
    • Field filtering (include/exclude)
    • Multi-channel collection
    • End-to-end acknowledgments
    • Truncation
    • Error handling
    • Unit tests (Windows-only, gated with #[cfg(windows)])
    • Verified cargo fmt, cargo clippy, and typos pass

Change Type

  • New feature

Is this a breaking change?

  • No

Does this PR include user facing changes?

  • Yes

References

Notes

  • This source is Windows-only and returns NotSupportedError on other platforms
  • Wildcard channel patterns are explicitly rejected to prevent heap corruption issues
  • Message rendering via EvtFormatMessage was removed due to stability issues; message extraction uses XML parsing instead

tot19 avatar Nov 26 '25 14:11 tot19

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

github-actions[bot] avatar Nov 26 '25 14:11 github-actions[bot]