fluent-plugin-windows-eventlog icon indicating copy to clipboard operation
fluent-plugin-windows-eventlog copied to clipboard
verified publisher icon fluent

How does it keep track of forwarded events to the same channel

Open philipsabri opened this issue 5 years ago • 2 comments

We are trying to see if forwarding events and then collecting them with fluentd is a better choice for us.

But how does it keep track of the forwarded events? When lookin in the storage file it look like this {"wec-authentication":"<BookmarkList>\r\n <Bookmark Channel='WEC-Authentication' RecordId='3954582302' IsCurrent='true'/>\r\n</BookmarkList>"}

The RecordId='3954582302', but how does it keep track when different servers send different RecordId's from different channels

Example: Server A sends EventRecordID 11920 from Security to the forwarded collecting channel X Server B sends EventRecordID 219130 from Security to the forwarded collecting channel X Server B sends EventRecordID 11910 from Application to the forwarded collecting channel X

FluentD collects everything from Channel X, how does it keep track of that?

image EventRecordID and Channel from different servers but collected from the same forwarded channel

philipsabri avatar Jun 23 '20 10:06 philipsabri

Also interested about the behaviour regarding Forwarded Events as it is a common case in a WEC architecture.

samsplunks avatar Oct 30 '20 13:10 samsplunks

When fluentd queries the ForwardedEvents channel, it receives eventlogs with EventRecordIDs.

What the bookmark saves is the internal RecordId (without Event) of the channel that is queried through the EventLog API.

Open irb shell from FluentD bin folder and try it for yourself:

require 'winevt'

@query = Winevt::EventLog::Query.new("WEC-Authentication", "*[System[(EventID=4624)]]")

@bookmark = Winevt::EventLog::Bookmark.new

@query.each do |xml|
  @bookmark.update(@query)
  puts xml
  puts @bookmark.render
end

samsplunks avatar Jun 15 '21 15:06 samsplunks