Description:
Registers a Windows Event Log Subscribe Callback to receive FlowFiles from Events on Windows. These can be filtered via channel and XPath.
Tags:
ingest, event, windows
Properties:
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
Name | Default Value | Allowable Values | Description |
Channel | System | The Windows Event Log Channel to listen to. | |
XPath Query | * | XPath Query to filter events. (See https://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx for examples.) | |
Maximum Buffer Size | 1048576 | The individual Event Log XMLs are rendered to a buffer. This specifies the maximum size in bytes that the buffer will be allowed to grow to. (Limiting the maximum size of an individual Event XML.) | |
Maximum queue size | 1024 | Events are received asynchronously and must be output as FlowFiles when the processor is triggered. This specifies the maximum number of events to queue for transformation into FlowFiles. |
Relationships:
Name | Description |
success | Relationship for successfully consumed events. |
Reads Attributes:
None specified.
Writes Attributes:
Name | Description |
mime.type | Will set a MIME type value of application/xml. |
State management:
This component does not store state.
Summary:
This processor is used listen to Windows Event Log events. It has a success output that will contain an XML representation of the event.
Permissions:
Your Windows User must have permissions to read the given Event Log. This can be achieved through the following steps (Windows 2008 and newer):
1.Open a command prompt as your user. Enter the command: wmic useraccount get name,sid
2.Note the SID of the user or group you’d like to allow to read a given channel
3.Open a command prompt as Administrator. enter the command: wevtutil gl CHANNEL_NAME
4.Take the channelAccess Attribute starting with O:BAG, copy it into a text editor, and add (A;;0x1;;;YOUR_SID_FROM_BEFORE) to the end
5.Take that text and run the following command in your admin prompt (see below for example): wevtutil sl CHANNEL_NAME /ca:TEXT_FROM_PREVIOUS_STEP
The following command is the exact one I used to add read access to the Security log for my user. (You can see all the possible channels with: wevtutil el):
wevtutil sl Security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3589080292-3448680409-2446571098-1001)
These steps were adapted from this guide