fluent-bit icon indicating copy to clipboard operation
fluent-bit copied to clipboard
verified publisher icon fluent

Some enhacement for Windows Event Logs

Open alexeynl opened this issue 1 year ago • 0 comments

Some Windows Event fields can be enriched with information from Windos host where fluen-bit installed.

  1. For example the following fields has its human readable presentation
<System><Level>
<System><Task>
<System><Opcode>
<System><Keywords>

that is stored in event provider metadata.

I play with winevtlog plugin and found that fluent-bit does not enrich these fields with provider metadata:

"Level"=>0, "Task"=>13570, "Opcode"=>0, "Keywords"=>"0x8020000000000000"
  1. Also i found that SID translation for <System><Security><UserID> field is made only when Render_Event_As_XML is set to false. But my parser uses XML representation of raw event because structured event much more easier for parsing and mapping.

Possible solutions for these issues:

  1. Enable enrichment for fields
<System><Level>
<System><Task>
<System><Opcode>
<System><Keywords>

as following https://github.com/elastic/beats/blob/9ae6ed1e3de11dad7597a6768b8e752f55c84e1c/winlogbeat/sys/winevent/event.go#L335 and add ability to send only enriched fields along with not enriched XML representation of the event. or Add ability to send provider metadata as distinct part of fluent-bit event. In this case i could make enrichment on the parser side. 2. Add option to send translated SID along with not enriched XML event source.

alexeynl avatar Oct 02 '24 08:10 alexeynl