Windows 事件日志输入插件
此插件从 Windows Vista 及更高版本的 Windows 事件日志中收集指标。
某些事件频道,例如系统日志,需要管理员权限才能订阅。
引入于: Telegraf v1.16.0 标签: logging 操作系统支持: windows
全局配置选项
插件支持其他全局和插件配置设置,用于修改指标、标签和字段,创建别名以及配置插件顺序等任务。更多详情请参阅 CONFIGURATION.md。
配置
# Input plugin to collect Windows Event Log messages
# This plugin ONLY supports Windows
[[inputs.win_eventlog]]
## Telegraf should have Administrator permissions to subscribe for some
## Windows Events channels (e.g. System log)
## LCID (Locale ID) for event rendering
## 1033 to force English language
## 0 to use default Windows locale
# locale = 0
## Name of eventlog, used only if xpath_query is empty
## Example: "Application"
# eventlog_name = ""
## xpath_query can be in defined short form like "Event/System[EventID=999]"
## or you can form a XML Query. Refer to the Consuming Events article:
## https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events
## XML query is the recommended form, because it is most flexible
## You can create or debug XML Query by creating Custom View in Windows Event Viewer
## and then copying resulting XML here
xpath_query = '''
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[( (EventID >= 5152 and EventID <= 5158) or EventID=5379 or EventID=4672)]]</Suppress>
</Query>
<Query Id="1" Path="Application">
<Select Path="Application">*[System[(Level < 4)]]</Select>
</Query>
<Query Id="2" Path="Windows PowerShell">
<Select Path="Windows PowerShell">*[System[(Level < 4)]]</Select>
</Query>
<Query Id="3" Path="System">
<Select Path="System">*</Select>
</Query>
<Query Id="4" Path="Setup">
<Select Path="Setup">*</Select>
</Query>
</QueryList>
'''
## When true, event logs are read from the beginning; otherwise only future
## events will be logged.
# from_beginning = false
## Number of events to fetch in one batch
# event_batch_size = 5
# Process UserData XML to fields, if this node exists in Event XML
# process_userdata = true
# Process EventData XML to fields, if this node exists in Event XML
# process_eventdata = true
## Separator character to use for unrolled XML Data field names
# separator = "_"
## Get only first line of Message field. For most events first line is
## usually more than enough
# only_first_line_of_message = true
## Parse timestamp from TimeCreated.SystemTime event field.
## Will default to current time of telegraf processing on parsing error or if
## set to false
# timestamp_from_event = true
## System field names:
## "Source", "EventID", "Version", "Level", "Task", "Opcode", "Keywords",
## "TimeCreated", "EventRecordID", "ActivityID", "RelatedActivityID",
## "ProcessID", "ThreadID", "ProcessName", "Channel", "Computer", "UserID",
## "UserName", "Message", "LevelText", "TaskText", "OpcodeText"
##
## In addition to System, Data fields can be unrolled from additional XML
## nodes in event. Human-readable representation of those nodes is formatted
## into event Message field, but XML is more machine-parsable
## Event fields to include as tags
## The values below are included by default.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
## Event fields to include
## All fields are sent by default.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# event_fields = ["*"]
## Event fields to exclude
## Note that if you exclude all fields then no metrics are produced. A valid
## metric includes at least one field.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# exclude_fields = []
## Event fields to exclude if their value is empty or equals to zero
## The values below are included by default.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# exclude_empty = ["Task", "Opcode", "*ActivityID", "UserID"]
## Maximum memory size available for an event to render
## Events larger that that are not processed and will not create a metric.
## NOTE: As events are encoded in UTF-16 we need two bytes per character.
# event_size_limit = "64KB"过滤
有三种过滤类型:事件日志名称、XPath 查询和XML 查询。
事件日志名称过滤很简单
eventlog_name = "Application"
xpath_query = '''对于 XPath 查询过滤,请设置 xpath_query 值,而 eventlog_name 将被忽略
eventlog_name = ""
xpath_query = "Event/System[EventID=999]"XML 查询是最灵活的:您可以选择或抑制任何值,并为其他值设置范围。XML 查询是推荐的形式,因为它最灵活。您可以通过在 Windows 事件查看器中创建自定义视图,然后将生成的 XML 复制到配置文件中来创建或调试 XML 查询。
XML 查询文档
https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events
故障排除
如果您看到 Collection took longer than expected 警告,这可能表明发生了事件爆发,并且 API 无法足够快地提供它们以在指定间隔内完成处理。调整 event_batch_size 设置可能有助于缓解此问题。该警告并不表示数据丢失,但您应该调查日志事件的数量。
Metrics
您可以将任何字段,System、Computed 或 XML 发送为标签字段。这些字段的列表在 event_tags 配置数组中。此数组支持通配符。例如,Level* 匹配所有以 Level 开头的字段,而 L?vel 匹配所有字段名是 Level、L3vel、L@vel 等的字段。标签字段会自动转换为字符串。
默认情况下,所有其他字段都会发送,但您可以通过在 event_fields 配置数组中列出它们(支持通配符)或在 exclude_fields 配置数组中添加一些字段名掩码来限制它们。
您可以通过在 exclude_empty 配置数组中添加空值字段名称的掩码来限制发送值为空的字段。当类型为 int 或 uint32 的 System 字段等于零,或任何类型为 string 的字段是空字符串时,该值被认为为空。
System 字段列表
- Source (string)
- EventID (int)
- Version (int)
- Level (int)
- LevelText (string)
- Opcode (int)
- OpcodeText (string)
- Task (int)
- TaskText (string)
- Keywords (string): 如果有多个值,则用逗号分隔
- TimeCreated (string)
- EventRecordID (string)
- ActivityID (string)
- RelatedActivityID (string)
- ProcessID (int)
- ThreadID (int)
- ProcessName (string): 从 ProcessID 派生
- Channel (string)
- Computer (string): 当从 Forwarded Events 消费时很有用
- UserID (string): SID
- UserName (string): 从 UserID 派生,以 DOMAIN\Username 的形式呈现
- Message (string)
计算字段
Level、Opcode 和 Task 字段被转换为文本并保存为计算的 *Text 字段。
Keywords 字段通过 _EvtFormatMessage WINAPI 函数从十六进制 uint64 值转换而来。可能有一个以上的值,在这种情况下它们将用逗号分隔。如果关键字无法转换(设备驱动程序错误或从具有未知事件通道的另一台计算机转发),则十六进制 uint64 按原样保存。
ProcessName 字段通过查找 ProcessID 来找到。如果 telegraf 没有足够的权限,则可能为空。
Username 字段通过查找 UserID 中的 SID 来找到。
Message 字段是从事件数据渲染的,可能包含几千字节的文本,并带有换行符。对于大多数事件,此文本的第一行就已经足够了,而附加信息更适合解析为 XML 字段。因此,为了简洁起见,插件只获取第一行。您可以将 only_first_line_of_message 参数设置为 false 来获取完整的消息文本。
TimeCreated 字段是 RFC3339Nano 格式的字符串。默认情况下,Telegraf 将其解析为事件时间戳。如果字段解析错误或 timestamp_from_event 配置参数设置为 false,则事件时间戳将设置为 Telegraf 解析该事件的确切时间,因此它将四舍五入到最近的分钟。
附加字段
Event Data 和 User Data XML 节点的内容可以添加为附加字段,并且默认添加。您可以通过将 process_userdata 或 process_eventdata 参数设置为 false 来禁用此功能。
对于附加 XML 节点中的字段,Name 属性被用作名称,而内部文本是值。这些字段的类型始终是字符串。
字段名称是通过在 XML 路径级别之间添加 _ 来形成的。例如,如果 UserData XML 如下所示
<UserData>
<CbsPackageChangeState xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">
<PackageIdentifier>KB4566782</PackageIdentifier>
<IntendedPackageState>5112</IntendedPackageState>
<IntendedPackageStateTextized>Installed</IntendedPackageStateTextized>
<ErrorCode>0x0</ErrorCode>
<Client>UpdateAgentLCU</Client>
</CbsPackageChangeState>
</UserData>它将被转换为以下字段
CbsPackageChangeState_PackageIdentifier = "KB4566782"
CbsPackageChangeState_IntendedPackageState = "5112"
CbsPackageChangeState_IntendedPackageStateTextized = "Installed"
CbsPackageChangeState_ErrorCode = "0x0"
CbsPackageChangeState_Client = "UpdateAgentLCU"如果存在多个同名字段,所有这些字段都会附加数字后缀:_1、_2 等。
本地化
人类可读的事件描述在 Message 字段中。但最好忽略它,优先使用事件 XML 值,因为它们更具机器可读性。
Keywords、LevelText、TaskText、OpcodeText 和 Message 字段默认使用当前 Windows 区域设置保存。您可以覆盖此设置,例如,通过将 locale 配置参数设置为 1033(英语区域设置)。不幸的是,Event Data 和 User Data XML 节点仅支持默认的 Windows 区域设置。
区域设置应安装在计算机上。英文区域设置通常在所有本地化版本的现代 Windows 上都可用。所有区域设置的列表可在 Microsoft 的 Open Specifications 中找到。
示例输出
某些值已更改以实现匿名化。
win_eventlog,Channel=System,Computer=PC,EventID=105,Keywords=0x8000000000000000,Level=4,LevelText=Information,Opcode=10,OpcodeText=General,Source=WudfUsbccidDriver,Task=1,TaskText=Driver,host=PC ProcessName="WUDFHost.exe",UserName="NT AUTHORITY\\LOCAL SERVICE",Data_dwMaxCCIDMessageLength="271",Data_bPINSupport="0x0",Data_bMaxCCIDBusySlots="1",EventRecordID=1914688i,UserID="S-1-5-19",Version=0i,Data_bClassGetEnvelope="0x0",Data_wLcdLayout="0x0",Data_bClassGetResponse="0x0",TimeCreated="2020-08-21T08:43:26.7481077Z",Message="The Smartcard reader reported the following class descriptor (part 2)." 1597999410000000000
win_eventlog,Channel=Security,Computer=PC,EventID=4798,Keywords=Audit\ Success,Level=0,LevelText=Information,Opcode=0,OpcodeText=Info,Source=Microsoft-Windows-Security-Auditing,Task=13824,TaskText=User\ Account\ Management,host=PC Data_TargetDomainName="PC",Data_SubjectUserName="User",Data_CallerProcessId="0x3d5c",Data_SubjectLogonId="0x46d14f8d",Version=0i,EventRecordID=223157i,Message="A user's local group membership was enumerated.",Data_TargetUserName="User",Data_TargetSid="S-1-5-21-.-.-.-1001",Data_SubjectUserSid="S-1-5-21-.-.-.-1001",Data_CallerProcessName="C:\\Windows\\explorer.exe",ActivityID="{0d4cc11d-7099-0002-4dc1-4c0d9970d601}",UserID="",Data_SubjectDomainName="PC",TimeCreated="2020-08-21T08:43:27.3036771Z",ProcessName="lsass.exe" 1597999410000000000
win_eventlog,Channel=Microsoft-Windows-Dhcp-Client/Admin,Computer=PC,EventID=1002,Keywords=0x4000000000000001,Level=2,LevelText=Error,Opcode=76,OpcodeText=IpLeaseDenied,Source=Microsoft-Windows-Dhcp-Client,Task=3,TaskText=Address\ Configuration\ State\ Event,host=PC Version=0i,Message="The IP address lease 10.20.30.40 for the Network Card with network address 0xaabbccddeeff has been denied by the DHCP server 10.20.30.1 (The DHCP Server sent a DHCPNACK message).",UserID="S-1-5-19",Data_HWLength="6",Data_HWAddress="545595B7EA01",TimeCreated="2020-08-21T08:43:42.8265853Z",EventRecordID=34i,ProcessName="svchost.exe",UserName="NT AUTHORITY\\LOCAL SERVICE" 1597999430000000000
win_eventlog,Channel=System,Computer=PC,EventID=10016,Keywords=Classic,Level=3,LevelText=Warning,Opcode=0,OpcodeText=Info,Source=Microsoft-Windows-DistributedCOM,Task=0,host=PC Data_param3="Активация",Data_param6="PC",Data_param8="S-1-5-21-2007059868-50816014-3139024325-1001",Version=0i,UserName="PC\\User",Data_param1="по умолчанию для компьютера",Data_param2="Локально",Data_param7="User",Data_param9="LocalHost (с использованием LRPC)",Data_param10="Microsoft.Windows.ShellExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy",ActivityID="{839cac9e-73a1-4559-a847-62f3a5e73e44}",ProcessName="svchost.exe",Message="The по умолчанию для компьютера permission settings do not grant Локально Активация permission for the COM Server application with CLSID ",Data_param5="{316CDED5-E4AE-4B15-9113-7055D84DCC97}",Data_param11="S-1-15-2-.-.-.-.-.-.-2861478708",TimeCreated="2020-08-21T08:43:45.5233759Z",EventRecordID=1914689i,UserID="S-1-5-21-.-.-.-1001",Data_param4="{C2F03A33-21F5-47FA-B4BB-156362A2F239}" 1597999430000000000此页面是否有帮助?
感谢您的反馈!
支持和反馈
感谢您成为我们社区的一员!我们欢迎并鼓励您对 Telegraf 和本文档提出反馈和 bug 报告。要获取支持,请使用以下资源
具有年度合同或支持合同的客户可以 联系 InfluxData 支持。