inputs.win_eventlog does not convert (any/some?) fields to tags #15958

steenstra · 2024-10-01T10:29:20Z

Relevant telegraf.conf

## Event fields to include as tags
## The values below are included by default.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]

# Windows Event Log Monitoring
[[inputs.win_eventlog]]
  xpath_query = '''
  <QueryList>
    <Query Id="0" Path="Application">
      <Select Path="Application">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="1" Path="Security">
      <Select Path="Security">*</Select>
      <Suppress Path="Security">*[System[(EventID = 4624 or EventID = 4627 or EventID = 4634 or EventID = 4648 or EventID = 4672 or EventID = 4662 or EventID = 4768 or EventID = 4776 or EventID = 4769 or EventID = 5379)]]</Suppress>
    </Query>
    <Query Id="2" Path="System">
      <Select Path="System">*[System[(Level &lt; 4)]]</Select>
    </Query>
    <Query Id="3" Path="Microsoft-Windows-NTLM/Operational">
      <Select Path="Microsoft-Windows-NTLM/Operational">*[System[(EventID = 8001 or EventID = 8002 or EventID = 8003 or EventID = 8004)]]</Select>
    </Query>
  </QueryList>
  '''

  only_first_line_of_message = true
  timestamp_from_event = true
  event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer", "*WorkstationName*", "*TargetUserName*"]

Logs from Telegraf

2024-10-01T10:21:32Z I! Loaded inputs: exec win_eventlog win_perf_counters
2024-10-01T10:21:32Z I! Loaded aggregators: 
2024-10-01T10:21:32Z I! Loaded processors: 
2024-10-01T10:21:32Z W! �[31mOutputs are not used in testing mode!�[0m
2024-10-01T10:21:32Z I! Tags enabled: host=MS04
2024-10-01T10:21:32Z D! [agent] Initializing plugins
2024-10-01T10:21:32Z D! [agent] Starting service inputs
2024-10-01T10:21:32Z D! [inputs.win_eventlog] Subscription handle id:1
2024-10-01T10:21:36Z D! [agent] Stopping service inputs
2024-10-01T10:21:36Z D! [agent] Input channel closed
2024-10-01T10:21:36Z D! [agent] Stopped Successfully

System info

Telegraf v1.32.0, Windows Server 2022 21H2

Docker

No response

Steps to reproduce

Edit telegraf conf to include "*WorkstationName*", "*TargetUserName*" for event_tags
Start Telegraf
Go to Grafana to group by a tag.
Notice there is no tag for the fields Data_TargetUserName and Data_WorkstationName
...

Expected behavior

I'd expect there to be tags for Data_TargetUserName and Data_WorkstationName

Actual behavior

but there’s only fields, no tags. See screenshot.

Additional info

No response

The text was updated successfully, but these errors were encountered:

steenstra added the bug unexpected problem or unintended behavior label Oct 1, 2024

srebhan self-assigned this Oct 1, 2024

srebhan added the area/windows Related to windows plugins (win_eventlog, win_perf_counters, win_services) label Oct 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

inputs.win_eventlog does not convert (any/some?) fields to tags #15958

inputs.win_eventlog does not convert (any/some?) fields to tags #15958

steenstra commented Oct 1, 2024

inputs.win_eventlog does not convert (any/some?) fields to tags #15958

inputs.win_eventlog does not convert (any/some?) fields to tags #15958

Comments

steenstra commented Oct 1, 2024

Relevant telegraf.conf

Logs from Telegraf

System info

Docker

Steps to reproduce

Expected behavior

Actual behavior

Additional info