Fluentd, Windows Event Logs and Grafana Loki

[hack3rcon]

What is a problem?

Hello,
I want to collect information about IDs 4660, 4663, 4656 and 4659 and send it to Loki server. I want this information to be in JSON format and each on one line. On Loki server I don't get any information:

# tcpdump -vvv -i any src 192.168.1.3 and port 3100
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

The contents of the windows_eventlog2.json file are as follows:

{"security":"<BookmarkList>\r\n <Bookmark Channel='Security' RecordId='147964' IsCurrent='true'/>\r\n</BookmarkList>"}

Describe the configuration of Fluentd

https://pastebin.com/swjQd53k

Describe the logs of Fluentd

https://pastebin.com/8eYGx4zC

Environment

- Fluentd version: 1.18.0
- Fluent Package version: 5.2.0
- Operating system: Windows 10

[daipom]

@hack3rcon
There is a possibility that nothing is hitting the filters.
Please check if the filter settings are correct.

For example, is record["event_id"] correct in the following setting?
Could record["EventId"] be correct?

<filter winevt.raw>
  @type record_transformer
  enable_ruby true
  <record>
    event_id ${record["event_id"]}
    handle_id ${record["handle_id"]}
    username ${record["username"]}
    hostname ${record["hostname"]}
    object_name ${record["object_name"]}
    timestamp ${Time.at(record["TimeCreated"].to_i).iso8601}
  </record>
</filter>

[hack3rcon]

@hack3rcon There is a possibility that nothing is hitting the filters. Please check if the filter settings are correct.

For example, is record["event_id"] correct in the following setting? Could record["EventId"] be correct?

<filter winevt.raw>
  @type record_transformer
  enable_ruby true
  <record>
    event_id ${record["event_id"]}
    handle_id ${record["handle_id"]}
    username ${record["username"]}
    hostname ${record["hostname"]}
    object_name ${record["object_name"]}
    timestamp ${Time.at(record["TimeCreated"].to_i).iso8601}
  </record>
</filter>

Hello,
Thank you so much for your reply.
I cleared all filters and am using the following configuration:

<source>
  @type windows_eventlog2
  @id windows_eventlog2
  channels security  
  read_existing_events true
  tag winevt.security 
  <storage>
    @type "local"
    persistent true
    path "C:/logs/buffer/windows_eventlog2.json"
  </storage>
</source>

<match winevt.security>
  @type loki
  @id loki_output
  endpoint_url "http://192.168.1.2:3100/loki/api/v1/push"
  labels { "channel": "security" }
  <buffer>
    @type "file"
    path "C:/logs/buffer"
    flush_interval 5s
  </buffer>
</match>

<system>
  log_level debug  
</system>

But the situation did not change and I still do not receive any data on the Loki server.

My Grafana Loki is OK, because:

C:\> curl -v -X POST http://192.168.1.2:3100/loki/api/v1/push -H "Content-Type: application/json" -d '{"streams": [{"stream": {"test": "test"}, "values": [[ "1630000000000000000", "test log" ]]}]}'
Note: Using embedded CA bundle, for proxies (231212 bytes)
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.1.2:3100...
* Connected to 192.168.1.2 (192.168.1.2) port 3100
* using HTTP/1.x
> POST /loki/api/v1/push HTTP/1.1
> Host: 192.168.1.2:3100
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 10
>
* upload completely sent off: 10 bytes
< HTTP/1.1 400 Bad Request
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 03 Mar 2025 09:54:50 GMT
< Content-Length: 125
<
readObjectStart: expect { or n, but found ', error found in #1 byte of ...|'{streams:|..., bigger context ...|'{streams:|...
* Connection #0 to host 192.168.1.2 left intact
curl: (3) bad range specification in URL position 2:
[{stream:
 ^

[daipom]

Does this RecordId in the storage file change?

{"security":"<BookmarkList>\r\n  <Bookmark Channel='Security' RecordId='147964' IsCurrent='true'/>\r\n</BookmarkList>"} 

If it does not change, it means there are no new Event Logs.
If so, you can test the behavior by removing this file or changing this value lower manually.

You can check which plugin has the problem by using out_stdout as follows.
out_stdout outputs Fluentd events to the standard output.
If using fluent-package, Fluentd outputs the events to the log files.
If you can confirm Event Logs in the log files, then out_loki does not work as expected.
If not, then in_windows_eventlog2 does not work as expected.

<source>
  @type windows_eventlog2
  @id windows_eventlog2
  channels security  
  read_existing_events true
  tag winevt.security 
  <storage>
    @type "local"
    persistent true
    path "C:/logs/buffer/windows_eventlog2.json"
  </storage>
</source>

<match winevt.security>
  @type stdout
</match>