winevtlog: Add docs (#625)

Signed-off-by: Hiroshi Hatake <[email protected]>
fluent · Feb 16, 2022 · ce334c6 · ce334c6
1 parent a870757
commit ce334c6
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 0 deletions.
diff --git a/.gitbook.yaml b/.gitbook.yaml
@@ -29,6 +29,7 @@ redirects:
     input/tcp:             ./pipeline/inputs/tcp.md
     input/thermal:         ./pipeline/inputs/thermal.md
     input/winlog:          ./pipeline/inputs/windows-event-log.md
+    input/winevtlog:       ./pipeline/inputs/windows-event-log-winevtlog.md
 
     # Filters
     filter/aws:             ./pipeline/filters/aws-metadata.md

diff --git a/SUMMARY.md b/SUMMARY.md
@@ -104,6 +104,7 @@
   * [TCP](pipeline/inputs/tcp.md)
   * [Thermal](pipeline/inputs/thermal.md)
   * [Windows Event Log](pipeline/inputs/windows-event-log.md)
+  * [Windows Event Log (winevtlog)](pipeline/inputs/windows-event-log-winevtlog.md)
 * [Parsers](pipeline/parsers/README.md)
   * [Configuring Parser](pipeline/parsers/configuring-parser.md)
   * [JSON](pipeline/parsers/json.md)

diff --git a/installation/sources/build-and-install.md b/installation/sources/build-and-install.md
@@ -130,6 +130,7 @@ The _input plugins_ provides certain features to gather information from a speci
 | [FLB\_IN\_TCP](../../pipeline/inputs/tcp.md) | Enable TCP input plugin | On |
 | [FLB\_IN\_THERMAL](../../pipeline/inputs/thermal.md) | Enable system temperature\(s\) input plugin | On |
 | [FLB\_IN\_WINLOG](../../pipeline/inputs/windows-event-log.md) | Enable Windows Event Log input plugin \(Windows Only\) | On |
+| [FLB\_IN\_WINEVTLOG](../../pipeline/inputs/windows-event-log-winevtlog.md) | Enable Windows Event Log input plugin using winevt.h API \(Windows Only\) | On |
 
 ### Filter Plugins
 

diff --git a/pipeline/inputs/windows-event-log-winevtlog.md b/pipeline/inputs/windows-event-log-winevtlog.md
@@ -0,0 +1,51 @@
+# Windows Event Log (winevtlog)
+
+The **winevtlog** input plugin allows you to read Windows Event Log with new API from `winevt.h`.
+
+## Configuration Parameters <a id="config"></a>
+
+The plugin supports the following configuration parameters:
+
+| Key | Description | Default |
+| :--- | :--- | :--- |
+| Channels | A comma-separated list of channels to read from. |  |
+| Interval\_Sec | Set the polling interval for each channel. \(optional\) | 1 |
+| Interval\_NSec | Set the polling interval for each channel (sub seconds. \(optional\) | 0 |
+| Read\_Existing\_Events | Whether to read existing events from head or tailing events at last on subscribing. \(optional\) | False |
+| DB | Set the path to save the read offsets. \(optional\) |  |
+| String\_Inserts | Whether to include StringInserts in output records. \(optional\) | False  |
+| Render\_Event\_As\_XML | Whether to render system part of event as XML string or not. \(optional\) | False  |
+| Use\_ANSI | Use ANSI encoding on eventlog messages. \(optional\) | False  |
+
+Note that if you do not set _db_, the plugin will tail channels on each startup.
+
+## Configuration Examples <a id="config_example"></a>
+
+### Configuration File
+
+Here is a minimum configuration example.
+
+```python
+[INPUT]
+    Name         winevtlog
+    Channels     Setup,Windows PowerShell
+    Interval_Sec 1
+    DB           winevtlog.sqlite
+
+[OUTPUT]
+    Name   stdout
+    Match  *
+```
+
+Note that some Windows Event Log channels \(like `Security`\) requires an admin privilege for reading. In this case, you need to run fluent-bit as an administrator.
+
+### Command Line
+
+If you want to do a quick test, you can run this plugin from the command line.
+
+```bash
+$ fluent-bit -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout
+```
+
+Note that `winevtlog` plugin will tail channles on each startup.
+If you want to confirm whether this plugin is working or not, you should specify `-p 'Read_Existing_Events=true'` parameter.