Description:

Registers a Windows Event Log Subscribe Callback to receive FlowFiles from Events on Windows. These can be filtered via channel and XPath.

Tags:

ingest, event, windows

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

Name Default Value Allowable Values Description
Channel System The Windows Event Log Channel to listen to.
XPath Query * XPath Query to filter events. (See https://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx for examples.)
Maximum Buffer Size 1048576 The individual Event Log XMLs are rendered to a buffer. This specifies the maximum size in bytes that the buffer will be allowed to grow to. (Limiting the maximum size of an individual Event XML.)
Maximum queue size 1024 Events are received asynchronously and must be output as FlowFiles when the processor is triggered. This specifies the maximum number of events to queue for transformation into FlowFiles.

Relationships:

Name Description
success Relationship for successfully consumed events.

Reads Attributes:

None specified.

Writes Attributes:

Name Description
mime.type Will set a MIME type value of application/xml.

State management:

This component does not store state.

Summary:

This processor is used listen to Windows Event Log events. It has a success output that will contain an XML representation of the event.

Permissions:

Your Windows User must have permissions to read the given Event Log. This can be achieved through the following steps (Windows 2008 and newer):

1.Open a command prompt as your user. Enter the command: wmic useraccount get name,sid

2.Note the SID of the user or group you’d like to allow to read a given channel

3.Open a command prompt as Administrator. enter the command: wevtutil gl CHANNEL_NAME

4.Take the channelAccess Attribute starting with O:BAG, copy it into a text editor, and add (A;;0x1;;;YOUR_SID_FROM_BEFORE) to the end

5.Take that text and run the following command in your admin prompt (see below for example): wevtutil sl CHANNEL_NAME /ca:TEXT_FROM_PREVIOUS_STEP

The following command is the exact one I used to add read access to the Security log for my user. (You can see all the possible channels with: wevtutil el):

wevtutil sl Security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3589080292-3448680409-2446571098-1001)

These steps were adapted from this guide