API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 3rd, 2025
10
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.36 KB | None | 0 0
raw download clone embed print report
  1. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: init supervisor logger path=nil rotate_age=nil rotate_size=nil
  2. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: parsing config file is succeeded path="C:\\opt\\fluent\\etc\\fluent\\fluentd.conf"
  3. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluentd' version '1.18.0'
  4. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-calyptia-monitoring' version '0.1.3'
  5. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-elasticsearch' version '5.4.3'
  6. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-flowcounter-simple' version '0.1.0'
  7. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-grok-parser' version '2.6.2'
  8. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-kafka' version '0.19.3'
  9. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-loki' version '0.3.0'
  10. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-metrics-cmetrics' version '0.1.2'
  11. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-opensearch' version '1.1.4'
  12. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-parser-winevt_xml' version '0.2.7'
  13. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-prometheus' version '2.1.0'
  14. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-prometheus_pushgateway' version '0.1.1'
  15. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-record-modifier' version '2.2.0'
  16. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-rewrite-tag-filter' version '2.4.0'
  17. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-s3' version '1.8.1'
  18. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-sd-dns' version '0.1.0'
  19. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-td' version '1.2.0'
  20. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-webhdfs' version '1.6.0'
  21. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-windows-eventlog' version '0.9.1'
  22. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-windows-eventlog' version '0.9.0'
  23. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: gem 'fluent-plugin-windows-exporter' version '1.0.0'
  24. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: Expanded the pattern %{EVENT_ID:event_id}.*Handle ID:\s*%{NUMBER:handle_id}.*Account Name:\s*%{USERNAME:username}.*ComputerName:\s*%{HOSTNAME:hostname}.*Object Name:\s*%{PATH:object_name}.* into (?<event_id>\d{4}).*Handle ID:\s*(?<handle_id>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))).*Account Name:\s*(?<username>[a-zA-Z0-9\.\-_]+).*ComputerName:\s*(?<hostname>[a-zA-Z0-9\.\-_]+).*Object Name:\s*(?<object_name>(?:[a-zA-Z]:)?(?:[^\\]+\\)*+).*
  25. 2025-03-03 00:08:36 -0800 [info]: fluent/log.rb:362:info: adding rewrite_tag_filter rule: event_id [#<Fluent::PluginHelper::RecordAccessor::Accessor:0x00000223b2978588 @keys="event_id">, /^(4660|4663|4656|4659)$/, "", "winevt.filtered", nil]
  26. 2025-03-03 00:08:38 -0800 [debug]: fluent/log.rb:341:debug: No fluent logger for internal event
  27. 2025-03-03 00:08:38 -0800 [info]: fluent/log.rb:362:info: using configuration file: <ROOT>
  28. <source>
  29. @type windows_eventlog2
  30. @id windows_eventlog2
  31. channels security
  32. read_existing_events true
  33. tag "winevt.raw"
  34. <storage>
  35. @type "local"
  36. persistent true
  37. path "C:/logs/buffer/windows_eventlog2.json"
  38. </storage>
  39. </source>
  40. <filter winevt.raw>
  41. @type parser
  42. key_name "Description"
  43. reserve_data true
  44. <parse>
  45. @type "grok"
  46. grok_pattern "%{EVENT_ID:event_id}.*Handle ID:\\s*%{NUMBER:handle_id}.*Account Name:\\s*%{USERNAME:username}.*ComputerName:\\s*%{HOSTNAME:hostname}.*Object Name:\\s*%{PATH:object_name}.*"
  47. custom_pattern_path "C:/opt/fluent/etc/fluent/custom_patterns.txt"
  48. </parse>
  49. </filter>
  50. <filter winevt.raw>
  51. @type record_transformer
  52. enable_ruby true
  53. <record>
  54. event_id ${record["event_id"]}
  55. handle_id ${record["handle_id"]}
  56. username ${record["username"]}
  57. hostname ${record["hostname"]}
  58. object_name ${record["object_name"]}
  59. timestamp ${Time.at(record["TimeCreated"].to_i).iso8601}
  60. </record>
  61. </filter>
  62. <match winevt.raw>
  63. @type rewrite_tag_filter
  64. <rule>
  65. key "event_id"
  66. pattern /^(4660|4663|4656|4659)$/
  67. tag "winevt.filtered"
  68. </rule>
  69. </match>
  70. <match winevt.filtered>
  71. @type loki
  72. @id loki_output
  73. endpoint_url "http://192.168.1.2:3100/loki/api/v1/push"
  74. remove_keys event_id,handle_id
  75. <label>
  76. hostname ${hostname}
  77. username ${username}
  78. </label>
  79. <buffer>
  80. @type "file"
  81. path "C:/logs/buffer"
  82. flush_interval 5s
  83. </buffer>
  84. </match>
  85. <system>
  86. log_level debug
  87. </system>
  88. </ROOT>
  89. 2025-03-03 00:08:38 -0800 [info]: fluent/log.rb:362:info: starting fluentd-1.18.0 pid=6088 ruby="3.2.6"
  90. 2025-03-03 00:08:38 -0800 [info]: fluent/log.rb:362:info: spawn command to main: cmdline=["C:/opt/fluent/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/opt/fluent/bin/fluentd", "-c", "C:\\opt\\fluent\\etc\\fluent\\fluentd.conf", "--under-supervisor"]
  91. 2025-03-03 00:08:43 -0800 [info]: #0 fluent/log.rb:362:info: init worker0 logger path=nil rotate_age=nil rotate_size=nil
  92. 2025-03-03 00:08:43 -0800 [info]: fluent/log.rb:362:info: adding filter pattern="winevt.raw" type="parser"
  93. 2025-03-03 00:08:43 -0800 [info]: #0 fluent/log.rb:362:info: Expanded the pattern %{EVENT_ID:event_id}.*Handle ID:\s*%{NUMBER:handle_id}.*Account Name:\s*%{USERNAME:username}.*ComputerName:\s*%{HOSTNAME:hostname}.*Object Name:\s*%{PATH:object_name}.* into (?<event_id>\d{4}).*Handle ID:\s*(?<handle_id>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))).*Account Name:\s*(?<username>[a-zA-Z0-9\.\-_]+).*ComputerName:\s*(?<hostname>[a-zA-Z0-9\.\-_]+).*Object Name:\s*(?<object_name>(?:[a-zA-Z]:)?(?:[^\\]+\\)*+).*
  94. 2025-03-03 00:08:43 -0800 [info]: fluent/log.rb:362:info: adding filter pattern="winevt.raw" type="record_transformer"
  95. 2025-03-03 00:08:43 -0800 [info]: fluent/log.rb:362:info: adding match pattern="winevt.raw" type="rewrite_tag_filter"
  96. 2025-03-03 00:08:43 -0800 [info]: #0 fluent/log.rb:362:info: adding rewrite_tag_filter rule: event_id [#<Fluent::PluginHelper::RecordAccessor::Accessor:0x000002219de64bf8 @keys="event_id">, /^(4660|4663|4656|4659)$/, "", "winevt.filtered", nil]
  97. 2025-03-03 00:08:43 -0800 [info]: fluent/log.rb:362:info: adding match pattern="winevt.filtered" type="loki"
  98. 2025-03-03 00:08:44 -0800 [info]: fluent/log.rb:362:info: adding source type="windows_eventlog2"
  99. 2025-03-03 00:08:44 -0800 [debug]: #0 fluent/log.rb:341:debug: No fluent logger for internal event
  100. 2025-03-03 00:08:44 -0800 [warn]: fluent/log.rb:383:warn: parameter 'remove_keys' in <match winevt.filtered>
  101. @type loki
  102. @id loki_output
  103. endpoint_url "http://192.168.1.2:3100/loki/api/v1/push"
  104. remove_keys event_id,handle_id
  105. <label>
  106. hostname ${hostname}
  107. username ${username}
  108. </label>
  109. <buffer>
  110. @type "file"
  111. path "C:/logs/buffer"
  112. flush_interval 5s
  113. </buffer>
  114. </match> is not used.
  115. 2025-03-03 00:08:44 -0800 [warn]: fluent/log.rb:383:warn: section <label> is not used in <match winevt.filtered> of loki plugin
  116. 2025-03-03 00:08:44 -0800 [warn]: fluent/log.rb:383:warn: section <label> is not used in <match winevt.filtered> of loki plugin
  117. 2025-03-03 00:08:44 -0800 [info]: #0 fluent/log.rb:362:info: starting fluentd worker pid=8116 ppid=6088 worker=0
  118. 2025-03-03 00:08:44 -0800 [debug]: #0 [loki_output] buffer started instance=4080 stage_size=0 queue_size=0
  119. 2025-03-03 00:08:44 -0800 [debug]: #0 [loki_output] flush_thread actually running
  120. 2025-03-03 00:08:44 -0800 [debug]: #0 [loki_output] enqueue_thread actually running
  121. 2025-03-03 00:08:44 -0800 [debug]: #0 [windows_eventlog2] channel (security) subscription is subscribed.
  122. 2025-03-03 00:08:44 -0800 [info]: #0 fluent/log.rb:362:info: fluentd worker is now running worker=0
  123. 2025-03-03 00:08:46 -0800 [info]: #0 fluent/log.rb:362:info: disable filter chain optimization because [Fluent::Plugin::ParserFilter, Fluent::Plugin::RecordTransformerFilter] uses `#filter_stream` method.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!