Registers a Windows Event Log Subscribe Callback to receive FlowFiles from Events on Windows. These can be filtered via channel and XPath.
ingest, event, windows
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
|Name||Default Value||Allowable Values||Description|
|Channel||System||The Windows Event Log Channel to listen to.|
|XPath Query||*||XPath Query to filter events. (See https://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx for examples.)|
|Maximum Buffer Size||1048576||The individual Event Log XMLs are rendered to a buffer. This specifies the maximum size in bytes that the buffer will be allowed to grow to. (Limiting the maximum size of an individual Event XML.)|
|Maximum queue size||1024||Events are received asynchronously and must be output as FlowFiles when the processor is triggered. This specifies the maximum number of events to queue for transformation into FlowFiles.|
|success||Relationship for successfully consumed events.|
|mime.type||Will set a MIME type value of application/xml.|
This component does not store state.
This processor is used listen to Windows Event Log events. It has a success output that will contain an XML representation of the event.
Your Windows User must have permissions to read the given Event Log. This can be achieved through the following steps (Windows 2008 and newer):
1.Open a command prompt as your user. Enter the command: wmic useraccount get name,sid
2.Note the SID of the user or group you’d like to allow to read a given channel
3.Open a command prompt as Administrator. enter the command: wevtutil gl CHANNEL_NAME
4.Take the channelAccess Attribute starting with O:BAG, copy it into a text editor, and add (A;;0x1;;;YOUR_SID_FROM_BEFORE) to the end
5.Take that text and run the following command in your admin prompt (see below for example): wevtutil sl CHANNEL_NAME /ca:TEXT_FROM_PREVIOUS_STEP
The following command is the exact one I used to add read access to the Security log for my user. (You can see all the possible channels with: wevtutil el):
wevtutil sl Security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3589080292-3448680409-2446571098-1001)
These steps were adapted from this guide