Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with remote event subscription #70

Open
Sjolus opened this issue Nov 9, 2020 · 1 comment
Open

Issue with remote event subscription #70

Sjolus opened this issue Nov 9, 2020 · 1 comment
Labels
in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue question

Comments

@Sjolus
Copy link

Sjolus commented Nov 9, 2020

Hi,

I'm trying to write a config that queries a remote server for Windows Events. My config looks like this:

<source>
  @type windows_eventlog2
  @id windows_remote
  @log_level trace
  read_existing_events false
  read_interval 2
  tag winevt.remote
  rate_limit 200

  <storage>
    @type local
    persistent true
    path C:\opt\td-agent\winevt-remote.pos
  </storage>

 <subscribe>
   channels ["System"]
   read_existing_events false
   read_all_channels true
   remote_server web-01.<redacted>
   remote_domain <redacted>
   remote_username Administrator
   remote_password <redacted>
 </subscribe>
</source>

<match winevt.remote>
  @type stdout
</match>

And it seems as if no remote events are ever fetched. Instead, it seems to be getting local events for some reason, as per the following output from running this locally (the dc is the local machine running this in my testing environment):

2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: starting fluentd-1.11.2 pid=5592 ruby="2.7.1"
2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: spawn command to main:  cmdline=["C:/opt/td-agent/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/opt/td-agent/bin/fluentd", "-c", "etc\\td-agent\\td-agent.conf", "-v", "--under-supervisor"]
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding match pattern="winevt.remote" type="stdout"
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding source type="windows_eventlog2"
2020-11-09 18:04:57 +0000 [debug]: #0 fluent/log.rb:306:debug: No fluent logger for internal event
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_server' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_domain' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_username' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_password' in <subscribe>
  channels ["System"]
  read_existing_events false
  remote_server web-01.<redacted>
  remote_domain <redacted>
  remote_username Administrator
  remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: starting fluentd worker pid=6612 ppid=5592 worker=0
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: fluentd worker is now running worker=0
2020-11-09 18:05:09.089322800 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:06.614689300","EventRecordID":"65701","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the stopped state.","EventData":["Print Spooler","stopped","?"]}
2020-11-09 18:05:09.094874500 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:07.937694400","EventRecordID":"65702","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the running state.","EventData":["Print Spooler","running","?"]}

Any advice as to how to proceed in troubleshooting this? I am not sure what those "parameter is not used" - maybe I have misconfigured something?
@cosmo0920
Copy link
Contributor

Remote subscription needs to use fluent-plugin-windows-eventlog v0.8.0:
d9ab94d

What the version did you use?

@cosmo0920 cosmo0920 added question in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue labels Nov 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cosmo0920 @Sjolus