Windows 事件
Windows 事件日志采集是采集应用程序、安全、系统等 Windows 事件日志
配置¶
前置条件¶
- Windows 版本 >= Windows Server 2008 R2
采集器配置¶
进入 DataKit 安装目录下的 conf.d/samples 目录,复制 windows_event.conf.sample 并命名为 windows_event.conf。示例如下:
[[inputs.windows_event]]
xpath_query = '''
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[( (EventID >= 5152 and EventID <= 5158) or EventID=5379 or EventID=4672)]]</Suppress>
</Query>
<Query Id="1" Path="Application">
<Select Path="Application">*[System[(Level < 4)]]</Select>
</Query>
<Query Id="2" Path="Windows PowerShell">
<Select Path="Windows PowerShell">*[System[(Level < 4)]]</Select>
</Query>
<Query Id="3" Path="System">
<Select Path="System">*</Select>
</Query>
<Query Id="4" Path="Setup">
<Select Path="Setup">*</Select>
</Query>
</QueryList>
'''
# event_fetch_size is the number of events to fetch per query.
event_fetch_size = 5
[inputs.windows_event.tags]
# some_tag = "some_value"
# more_tag = "some_other_value"
# ...
配置好后,重启 DataKit 即可。
日志¶
以下所有数据采集,默认会追加名为 host 的全局 tag(tag 值为 DataKit 所在主机名),也可以在配置中通过 [inputs.windows_event.tags] 指定其它标签:
windows_event¶
| Tags & Fields | Description |
|---|---|
| channel | Channel Type: string Unit: N/A |
| computer | Computer Type: string Unit: N/A |
| event_id | Event ID Type: string Unit: N/A |
| event_record_id | Event record ID Type: string Unit: N/A |
| event_source | Windows event source Type: string Unit: N/A |
| keyword | Keyword Type: string Unit: N/A |
| level | Level Type: string Unit: N/A |
| message | Event content Type: string Unit: N/A |
| process_id | Process ID Type: int Unit: N/A |
| status | Log level Type: string Unit: N/A |
| task | Task category Type: string Unit: N/A |
| total_message | Full text of the event Type: string Unit: N/A |
| version | Version Type: string Unit: N/A |