Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <source>
- @type windows_eventlog2
- @id windows_eventlog2
- channels security
- read_existing_events true
- tag winevt.raw
- <storage>
- @type "local"
- persistent true
- path "C:/logs/buffer/windows_eventlog2.json"
- </storage>
- </source>
- <filter winevt.raw>
- @type parser
- key_name "Description"
- reserve_data true
- <parse>
- @type grok
- grok_pattern %{EVENT_ID:event_id}.*Handle ID:\s*%{NUMBER:handle_id}.*Account Name:\s*%{USERNAME:username}.*ComputerName:\s*%{HOSTNAME:hostname}.*Object Name:\s*%{PATH:object_name}.*
- custom_pattern_path C:/opt/fluent/etc/fluent/custom_patterns.txt
- </parse>
- </filter>
- <filter winevt.raw>
- @type record_transformer
- enable_ruby true
- <record>
- event_id ${record["event_id"]}
- handle_id ${record["handle_id"]}
- username ${record["username"]}
- hostname ${record["hostname"]}
- object_name ${record["object_name"]}
- timestamp ${Time.at(record["TimeCreated"].to_i).iso8601}
- </record>
- </filter>
- <match winevt.raw>
- @type rewrite_tag_filter
- <rule>
- key "event_id"
- pattern /^(4660|4663|4656|4659)$/
- tag "winevt.filtered"
- </rule>
- </match>
- <match winevt.filtered>
- @type loki
- @id loki_output
- endpoint_url "http://192.168.1.2:3100/loki/api/v1/push"
- remove_keys event_id,handle_id
- <label>
- hostname ${hostname}
- username ${username}
- </label>
- <buffer>
- @type "file"
- path "C:/logs/buffer"
- flush_interval 5s
- </buffer>
- </match>
- <system>
- log_level debug
- </system>
Advertisement
Add Comment
Please, Sign In to add comment
