diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index bd5f1a9e8b..bdd33b05c6 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -615,6 +615,8 @@ func (r LoggingReceiverWindowsEventLog) Pipelines(ctx context.Context) ([]otel.R
var p []otel.Component
var err error
if r.IsDefaultVersion() {
+ // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
+ receiver_config["include_log_record_original"] = true
p, err = windowsEventLogV1Processors(ctx)
} else if r.RenderAsXML {
// When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
@@ -664,8 +666,22 @@ func (p LoggingProcessorWindowsEventLogV1) Processors(ctx context.Context) ([]ot
func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
// The winlog input in fluent-bit has a completely different structure.
// We need to convert the OTel format into the fluent-bit format.
+
+ // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System.Task` and non-parsed `Event.RenderingInfo.Message`.
+ logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
+ bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
+ processors := []otel.Component{
+ otel.Transform(
+ "log", "log",
+ ottl.NewStatements(
+ bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
+ logRecordOriginal.Delete(),
+ ),
+ ),
+ }
+
var empty string
- p := &LoggingProcessorModifyFields{
+ modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
"jsonPayload.Channel": {CopyFrom: "jsonPayload.channel"},
@@ -677,29 +693,19 @@ func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error)
return v.Set(ottl.ConvertCase(v, "lower"))
},
},
- "jsonPayload.EventCategory": {CopyFrom: "jsonPayload.task", Type: "integer"},
+ "jsonPayload.EventCategory": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Task", Type: "integer"},
"jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
"jsonPayload.EventType": {
CopyFrom: "jsonPayload.level",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
- // TODO: What if there are multiple keywords?
keywords := ottl.LValue{"cache", "body", "keywords"}
- keyword0 := ottl.RValue(`cache["body"]["keywords"][0]`)
return ottl.NewStatements(
- v.SetIf(ottl.StringLiteral("SuccessAudit"), ottl.And(
- keywords.IsPresent(),
- ottl.IsNotNil(keyword0),
- ottl.Equals(keyword0, ottl.StringLiteral("Audit Success")),
- )),
- v.SetIf(ottl.StringLiteral("FailureAudit"), ottl.And(
- keywords.IsPresent(),
- ottl.IsNotNil(keyword0),
- ottl.Equals(keyword0, ottl.StringLiteral("Audit Failure")),
- )),
+ v.SetIf(ottl.StringLiteral("SuccessAudit"), ottl.ContainsValue(keywords, "Audit Success")),
+ v.SetIf(ottl.StringLiteral("FailureAudit"), ottl.ContainsValue(keywords, "Audit Failure")),
)
},
},
- "jsonPayload.Message": {CopyFrom: "jsonPayload.message"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
"jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
"jsonPayload.RecordNumber": {CopyFrom: "jsonPayload.record_id"},
"jsonPayload.Sid": {
@@ -738,7 +744,13 @@ func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error)
CustomConvertFunc: formatSystemTime,
},
}}
- return p.Processors(ctx)
+
+ p, err := modifyFields.Processors(ctx)
+ if err != nil {
+ return nil, err
+ }
+ processors = append(processors, p...)
+ return processors, nil
}
// LoggingProcessorWindowsEventLogV2 contains the otel logging processors for ReceiverVersion=2.
@@ -868,6 +880,7 @@ func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit
Fields: map[string]*ModifyField{
"jsonPayload.channel": {OmitIf: `jsonPayload.channel =~ ".*"`},
"jsonPayload.computer": {OmitIf: `jsonPayload.computer =~ ".*"`},
+ "jsonPayload.details": {OmitIf: `jsonPayload.details != nil`},
"jsonPayload.event_data": {OmitIf: `jsonPayload.event_data != nil`},
"jsonPayload.event_id": {OmitIf: `jsonPayload.event_id != nil`},
"jsonPayload.execution": {OmitIf: `jsonPayload.execution != nil`},
diff --git a/confgenerator/otel/ottl/ottl.go b/confgenerator/otel/ottl/ottl.go
index e16e6d3452..99bae20274 100644
--- a/confgenerator/otel/ottl/ottl.go
+++ b/confgenerator/otel/ottl/ottl.go
@@ -182,6 +182,10 @@ func ParseJSON(a Value) Value {
return valuef(`ParseJSON(%s)`, a)
}
+func ParseSimplifiedXML(a Value) Value {
+ return valuef(`ParseSimplifiedXML(%s)`, a)
+}
+
func ExtractPatternsRubyRegex(a Value, pattern string, omitEmptyValues bool) Value {
return valuef(`ExtractPatternsRubyRegex(%s, %q, %v)`, a, pattern, omitEmptyValues)
}
@@ -190,6 +194,10 @@ func ConvertCase(a Value, toCase string) Value {
return valuef(`ConvertCase(%s, %q)`, a, toCase)
}
+func ContainsValue(a Value, value string) Value {
+ return valuef(`ContainsValue(%s, %q)`, a, value)
+}
+
func FormatTime(a Value, format string) Value {
return valuef(`FormatTime(%s, %q)`, a, format)
}
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
index 64b79a69ba..259a3ba414 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
@@ -827,6 +827,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -838,13 +845,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -879,8 +886,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -911,36 +918,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -952,13 +937,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -993,8 +978,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1025,7 +1010,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1055,6 +1069,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1066,13 +1087,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1107,8 +1128,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1139,7 +1160,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1224,18 +1245,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1281,6 +1305,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1291,6 +1316,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1301,6 +1327,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
index 64b79a69ba..259a3ba414 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
@@ -827,6 +827,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -838,13 +845,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -879,8 +886,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -911,36 +918,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -952,13 +937,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -993,8 +978,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1025,7 +1010,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1055,6 +1069,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1066,13 +1087,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1107,8 +1128,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1139,7 +1160,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1224,18 +1245,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1281,6 +1305,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1291,6 +1316,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1301,6 +1327,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
index 43bab85354..6dd1ba29b6 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
@@ -800,6 +800,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -811,13 +818,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -852,8 +859,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -884,36 +891,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -925,13 +910,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -966,8 +951,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -998,7 +983,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1028,6 +1042,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1039,13 +1060,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1080,8 +1101,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1112,7 +1133,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1197,18 +1218,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1254,6 +1278,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1264,6 +1289,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1274,6 +1300,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
index 43bab85354..6dd1ba29b6 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
@@ -800,6 +800,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -811,13 +818,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -852,8 +859,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -884,36 +891,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -925,13 +910,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -966,8 +951,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -998,7 +983,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1028,6 +1042,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1039,13 +1060,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1080,8 +1101,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1112,7 +1133,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1197,18 +1218,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1254,6 +1278,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1264,6 +1289,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1274,6 +1300,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
index c8cb527cb0..cd0d51dd91 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
@@ -726,6 +726,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -737,13 +744,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -778,8 +785,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -810,36 +817,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -851,13 +836,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -892,8 +877,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -924,7 +909,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -954,6 +968,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -965,13 +986,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1006,8 +1027,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1038,7 +1059,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1113,18 +1134,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1170,6 +1194,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1180,6 +1205,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1190,6 +1216,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
index c8cb527cb0..cd0d51dd91 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
@@ -726,6 +726,13 @@ processors:
- set(cache["value"], "sample_logs") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -737,13 +744,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -778,8 +785,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -810,36 +817,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -851,13 +836,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -892,8 +877,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -924,7 +909,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -954,6 +968,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -965,13 +986,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1006,8 +1027,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1038,7 +1059,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1113,18 +1134,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1170,6 +1194,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1180,6 +1205,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1190,6 +1216,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
index f5233ed430..2aaa7a632d 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
@@ -766,6 +766,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -777,13 +784,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -818,8 +825,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -850,36 +857,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -891,13 +876,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -932,8 +917,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -964,7 +949,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -994,6 +1008,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1005,13 +1026,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1046,8 +1067,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1078,7 +1099,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1164,18 +1185,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1221,6 +1245,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1231,6 +1256,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1241,6 +1267,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
index f5233ed430..2aaa7a632d 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
@@ -766,6 +766,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -777,13 +784,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -818,8 +825,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -850,36 +857,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -891,13 +876,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -932,8 +917,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -964,7 +949,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -994,6 +1008,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1005,13 +1026,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1046,8 +1067,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1078,7 +1099,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1164,18 +1185,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1221,6 +1245,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1231,6 +1256,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1241,6 +1267,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
index b332df5059..d927eb8d72 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
@@ -847,6 +847,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -858,13 +865,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -899,8 +906,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -931,36 +938,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -972,13 +957,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1013,8 +998,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1045,7 +1030,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1075,6 +1089,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1086,13 +1107,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1127,8 +1148,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1159,7 +1180,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1230,18 +1251,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1287,6 +1311,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- transform/logs_default__pipeline_windows__event__log_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
@@ -1298,6 +1323,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- transform/logs_default__pipeline_windows__event__log_1_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
@@ -1309,6 +1335,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- transform/logs_default__pipeline_windows__event__log_2_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
index b332df5059..d927eb8d72 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
@@ -847,6 +847,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -858,13 +865,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -899,8 +906,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -931,36 +938,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -972,13 +957,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1013,8 +998,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1045,7 +1030,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1075,6 +1089,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1086,13 +1107,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1127,8 +1148,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1159,7 +1180,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1230,18 +1251,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1287,6 +1311,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- transform/logs_default__pipeline_windows__event__log_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
@@ -1298,6 +1323,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- transform/logs_default__pipeline_windows__event__log_1_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
@@ -1309,6 +1335,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- transform/logs_default__pipeline_windows__event__log_2_0
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
index f56b7200db..72d312ccb1 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
@@ -711,6 +711,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -722,13 +729,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -763,8 +770,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -795,36 +802,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -836,13 +821,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -877,8 +862,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -909,7 +894,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -939,6 +953,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -950,13 +971,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -991,8 +1012,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1023,7 +1044,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1109,18 +1130,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1166,6 +1190,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1176,6 +1201,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1186,6 +1212,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
index f56b7200db..72d312ccb1 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
@@ -711,6 +711,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -722,13 +729,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -763,8 +770,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -795,36 +802,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -836,13 +821,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -877,8 +862,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -909,7 +894,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -939,6 +953,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -950,13 +971,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -991,8 +1012,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1023,7 +1044,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1109,18 +1130,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1166,6 +1190,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1176,6 +1201,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1186,6 +1212,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
index 1b07969b1c..8224db04a7 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
@@ -800,6 +800,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -811,13 +818,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -852,8 +859,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -884,36 +891,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -925,13 +910,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -966,8 +951,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -998,7 +983,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1028,6 +1042,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1039,13 +1060,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1080,8 +1101,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1112,7 +1133,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1199,18 +1220,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1256,6 +1280,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1266,6 +1291,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1276,6 +1302,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
index 1b07969b1c..8224db04a7 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
@@ -800,6 +800,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -811,13 +818,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -852,8 +859,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -884,36 +891,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -925,13 +910,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -966,8 +951,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -998,7 +983,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1028,6 +1042,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1039,13 +1060,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1080,8 +1101,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1112,7 +1133,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1199,18 +1220,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1256,6 +1280,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1266,6 +1291,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1276,6 +1302,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
index ef78a252fc..8ec2a62ef3 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
@@ -1310,6 +1310,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -1321,13 +1328,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1362,8 +1369,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1394,36 +1401,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -1435,13 +1420,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1476,8 +1461,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1508,7 +1493,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1538,6 +1552,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1549,13 +1570,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1590,8 +1611,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1622,7 +1643,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1739,18 +1760,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1796,6 +1820,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1806,6 +1831,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1816,6 +1842,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
index ef78a252fc..8ec2a62ef3 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
@@ -1310,6 +1310,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -1321,13 +1328,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1362,8 +1369,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1394,36 +1401,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -1435,13 +1420,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1476,8 +1461,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1508,7 +1493,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1538,6 +1552,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1549,13 +1570,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1590,8 +1611,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1622,7 +1643,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1739,18 +1760,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1796,6 +1820,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1806,6 +1831,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1816,6 +1842,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
index 9a1a66e512..0d41b2b2c9 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
@@ -960,6 +960,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -971,13 +978,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1012,8 +1019,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1044,36 +1051,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -1085,13 +1070,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1126,8 +1111,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1158,7 +1143,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1188,6 +1202,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1199,13 +1220,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1240,8 +1261,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1272,7 +1293,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1371,18 +1392,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1428,6 +1452,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1438,6 +1463,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1448,6 +1474,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
index 9a1a66e512..0d41b2b2c9 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
@@ -960,6 +960,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -971,13 +978,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1012,8 +1019,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1044,36 +1051,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -1085,13 +1070,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1126,8 +1111,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1158,7 +1143,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -1188,6 +1202,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -1199,13 +1220,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -1240,8 +1261,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -1272,7 +1293,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1371,18 +1392,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1428,6 +1452,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1438,6 +1463,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1448,6 +1474,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index 670fa4e1b3..95eeac7ae1 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -682,6 +682,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -693,13 +700,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -734,8 +741,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -766,36 +773,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -807,13 +792,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -848,8 +833,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -880,7 +865,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -910,6 +924,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -921,13 +942,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -962,8 +983,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -994,7 +1015,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1473,18 +1494,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1548,6 +1572,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1558,6 +1583,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1568,6 +1594,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index 670fa4e1b3..95eeac7ae1 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -682,6 +682,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -693,13 +700,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -734,8 +741,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -766,36 +773,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -807,13 +792,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -848,8 +833,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -880,7 +865,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -910,6 +924,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -921,13 +942,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -962,8 +983,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -994,7 +1015,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1473,18 +1494,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1548,6 +1572,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1558,6 +1583,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1568,6 +1594,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
index 8d403298ac..c6f7ec7a2e 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
@@ -682,6 +682,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -693,13 +700,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -734,8 +741,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -766,36 +773,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -807,13 +792,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -848,8 +833,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -880,7 +865,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -910,6 +924,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -921,13 +942,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -962,8 +983,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -994,7 +1015,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1175,18 +1196,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1246,6 +1270,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1256,6 +1281,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1266,6 +1292,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
index 8d403298ac..c6f7ec7a2e 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
@@ -682,6 +682,13 @@ processors:
statements:
- extract_count_metric(true) where name == "grpc.client.attempt.duration"
transform/windows__event__log_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1:
error_mode: ignore
log_statements:
- context: log
@@ -693,13 +700,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -734,8 +741,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -766,36 +773,14 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1:
+ transform/windows__event__log_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "windows_event_log") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_1_1:
error_mode: ignore
log_statements:
- context: log
@@ -807,13 +792,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -848,8 +833,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -880,7 +865,36 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_1_1:
+ transform/windows__event__log_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "windows_event_log") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/windows__event__log_2:
error_mode: ignore
log_statements:
- context: log
@@ -910,6 +924,13 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/windows__event__log_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/windows__event__log_2_1:
error_mode: ignore
log_statements:
- context: log
@@ -921,13 +942,13 @@ processors:
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- set(cache["__field_2"], body["event_data"]["binary"]) where (body != nil and body["event_data"] != nil and body["event_data"]["binary"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_3"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- set(cache["__field_4"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
@@ -962,8 +983,8 @@ processors:
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - set(cache["value"], "SuccessAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Success")
- - set(cache["value"], "FailureAudit") where ((cache != nil and cache["body"] != nil and cache["body"]["keywords"] != nil) and cache["body"]["keywords"][0] != nil and cache["body"]["keywords"][0] == "Audit Failure")
+ - set(cache["value"], "SuccessAudit") where ContainsValue(cache["body"]["keywords"], "Audit Success")
+ - set(cache["value"], "FailureAudit") where ContainsValue(cache["body"]["keywords"], "Audit Failure")
- set(body["EventType"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
@@ -994,7 +1015,7 @@ processors:
- set(cache["value"], cache["__field_12"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeWritten"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/windows__event__log_2_1:
+ transform/windows__event__log_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1175,18 +1196,21 @@ receivers:
windowseventlog/windows__event__log:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_1:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/windows__event__log_2:
channel: Security
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1246,6 +1270,7 @@ service:
processors:
- transform/windows__event__log_0
- transform/windows__event__log_1
+ - transform/windows__event__log_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1256,6 +1281,7 @@ service:
processors:
- transform/windows__event__log_1_0
- transform/windows__event__log_1_1
+ - transform/windows__event__log_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1266,6 +1292,7 @@ service:
processors:
- transform/windows__event__log_2_0
- transform/windows__event__log_2_1
+ - transform/windows__event__log_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/config.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/config.yaml
index 0d8bc32b4f..c6d7924c0d 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/config.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/config.yaml
@@ -1,6 +1,13 @@
# This test is only intended to verify the Otel transformations required to generate
# a log entry output format similar to the fluent-bit windows event log receiver.
+# When setting "include_log_record_original: true" the "windowseventlogreceiver" sets
+# `attributes."log.record.original"` with the original XML. We replicate this behaviour
+# in the test by moving the parsed "log.record.original" JSON field to "labels" (otel "attributes").
- type: parse_json
time_key: time
time_format: "%Y-%m-%dT%H:%M:%S.%L%z"
+- type: modify_fields
+ fields:
+ labels."log.record.original":
+ move_from: jsonPayload."log.record.original"
- type: windows_event_log_v1
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
index 420002cead..8b32274e92 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
@@ -1,6 +1,3 @@
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Windows Modules Installer"},{"param2":"running"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Windows Modules Installer service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:38:45.026077400Z","time":"2025-07-02T20:38:45.026077400Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:39:32.339006100Z","time":"2025-07-02T20:39:32.339006100Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Network Setup Service"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":16384},"execution":{"process_id":780,"thread_id":8328},"keywords":["Classic"],"level":"Information","message":"The Network Setup Service service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":2273,"system_time":"2025-12-02T23:57:13.2944449Z","task":"0"}
-{"channel":"Application","computer":"test-computer","event_data":{"data":[{"":"2025-12-09T22:44:19Z"},{"":"RulesEngine"}]},"event_id":{"id":16384,"qualifiers":16384},"execution":{"process_id":0,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine.","opcode":"0","provider":{"event_source":"Software Protection Platform Service","guid":"{11111111}","name":"Microsoft-Windows-Security-SPP"},"record_id":24567,"system_time":"2025-12-02T23:45:19.6366777Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"param1":"Google Cloud Ops Agent - Logging Agent"},{"param2":"8856"},{"param3":"5212"}]},"event_id":{"id":7039,"qualifiers":32768},"execution":{"process_id":780,"thread_id":7152},"keywords":["Classic"],"level":"Warning","message":"A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.\n\n Note that if this service is configured to start under a debugger, this behavior is expected.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2285,"system_time":"2025-12-03T00:13:07.2682140Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"HResult":"-2147020471"},{"UpdateType":"1024"}]},"event_id":{"id":1796,"qualifiers":0},"execution":{"process_id":6456,"thread_id":6424},"keywords":["0x8000000000000000"],"level":"Error","message":"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931","opcode":"Info","provider":{"event_source":"","guid":"{7d5387b0-cbe0-11da-a94d-0800200c9a66}","name":"Microsoft-Windows-TPM-WMI"},"record_id":2133,"security":{"user_id":"S-1-5-18"},"system_time":"2025-12-02T22:49:40.4939915Z","task":"0"}
+{"log.record.original":"765404000x80800000000000002257Systemtest-computerClient License Service (ClipSVC)running43006C00690070005300560043002F0034000000The Client License Service (ClipSVC) service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","event_data":{"binary":"43006C00690070005300560043002F0034000000","data":[{"param1":"Client License Service (ClipSVC)"},{"param2":"running"}]},"event_id":{"id":7654,"qualifiers":12345},"execution":{"process_id":780,"thread_id":7548},"keywords":["Classic"],"level":"Information","message":"The Client License Service (ClipSVC) service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2257,"system_time":"2025-12-02T23:43:11.8975092Z","task":"0"}
+{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Success"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
+{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Failure"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
index 5d961b8dd7..59ba64238b 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
@@ -1,22 +1,4 @@
- entries:
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:38:45.026077400Z
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:39:32.339006100Z
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: now
- jsonPayload:
message: This processor is only used for testing otel.
labels:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
index ab75f309f2..5205f2e7dd 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
@@ -2,98 +2,20 @@
- jsonPayload:
Channel: System
ComputerName: test-computer
- Data: "12345"
+ Data: 43006c00690070005300560043002f0034000000
EventCategory: 0
- EventID: 4444
+ EventID: 7654
EventType: Information
- Message: The Windows Modules Installer service entered the running state.
- Qualifiers: 33333
- RecordNumber: 1111
+ Message: The Client License Service (ClipSVC) service entered the running state.
+ Qualifiers: 12345
+ RecordNumber: 2257
Sid: ""
SourceName: Service Control Manager
StringInserts:
- - Windows Modules Installer
+ - Client License Service (ClipSVC)
- running
- TimeGenerated: 2025-07-02 20:38:45.0260774 +0000
- TimeWritten: 2025-07-02 20:38:45.0260774 +0000
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: 2025-07-02T20:38:45.026077400Z
- - jsonPayload:
- Channel: System
- ComputerName: test-computer
- Data: "12345"
- EventCategory: 0
- EventID: 4444
- EventType: Information
- Message: The Software Protection service entered the stopped state.
- Qualifiers: 33333
- RecordNumber: 1111
- Sid: ""
- SourceName: Service Control Manager
- StringInserts:
- - Software Protection
- - stopped
- TimeGenerated: 2025-07-02 20:39:32.3390061 +0000
- TimeWritten: 2025-07-02 20:39:32.3390061 +0000
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: 2025-07-02T20:39:32.339006100Z
- - jsonPayload:
- Channel: System
- ComputerName: test-computer
- Data: "12345"
- EventCategory: 0
- EventID: 7036
- EventType: Information
- Message: The Network Setup Service service entered the running state.
- Qualifiers: 16384
- RecordNumber: 2273
- Sid: ""
- SourceName: Service Control Manager
- StringInserts:
- - Network Setup Service
- - running
- TimeGenerated: 2025-12-02 23:57:13.2944449 +0000
- TimeWritten: 2025-12-02 23:57:13.2944449 +0000
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: now
- - jsonPayload:
- Channel: Application
- ComputerName: test-computer
- Data: ""
- EventCategory: 0
- EventID: 16384
- EventType: Information
- Message: "Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine."
- Qualifiers: 16384
- RecordNumber: 24567
- Sid: ""
- SourceName: Software Protection Platform Service
- StringInserts:
- - 2025-12-09T22:44:19Z
- - RulesEngine
- TimeGenerated: 2025-12-02 23:45:19.6366777 +0000
- TimeWritten: 2025-12-02 23:45:19.6366777 +0000
+ TimeGenerated: 2025-12-02 23:43:11.8975092 +0000
+ TimeWritten: 2025-12-02 23:43:11.8975092 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -104,26 +26,41 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: System
+ Channel: Security
ComputerName: test-computer
Data: ""
- EventCategory: 0
- EventID: 7039
- EventType: Warning
+ EventCategory: 13824
+ EventID: 9876
+ EventType: SuccessAudit
Message: |-
- A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.
+ Credential Manager credentials were read.
- Note that if this service is configured to start under a debugger, this behavior is expected.
- Qualifiers: 32768
- RecordNumber: 2285
+ Subject:
+ Security ID: S-0-0-0
+ Account Name: TEST-COMPUTER$
+ Account Domain: WORKGROUP
+ Logon ID: 0x3E5
+ Read Operation: Enumerate Credentials
+
+ This event occurs when a user performs a read operation on stored credentials in Credential Manager.
+ Qualifiers: 0
+ RecordNumber: 24007
Sid: ""
- SourceName: Service Control Manager
+ SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- - Google Cloud Ops Agent - Logging Agent
- - "8856"
- - "5212"
- TimeGenerated: 2025-12-03 00:13:07.268214 +0000
- TimeWritten: 2025-12-03 00:13:07.268214 +0000
+ - S-0-0-00
+ - TEST-COMPUTER$
+ - WORKGROUP
+ - "0x3e5"
+ - WindowsLive:target=virtualapp/didlogical
+ - "0"
+ - "1"
+ - "%%8100"
+ - "0"
+ - 2025-12-23T20:55:56.6615132Z
+ - "1234"
+ TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
+ TimeWritten: 2025-12-23 20:55:56.6898286 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -134,22 +71,41 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: System
+ Channel: Security
ComputerName: test-computer
Data: ""
- EventCategory: 0
- EventID: 1796
- EventType: Error
- Message: The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
+ EventCategory: 13824
+ EventID: 9876
+ EventType: FailureAudit
+ Message: |-
+ Credential Manager credentials were read.
+
+ Subject:
+ Security ID: S-0-0-0
+ Account Name: TEST-COMPUTER$
+ Account Domain: WORKGROUP
+ Logon ID: 0x3E5
+ Read Operation: Enumerate Credentials
+
+ This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Qualifiers: 0
- RecordNumber: 2133
- Sid: S-1-5-18
- SourceName: Microsoft-Windows-TPM-WMI
+ RecordNumber: 24007
+ Sid: ""
+ SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- - "-2147020471"
- - "1024"
- TimeGenerated: 2025-12-02 22:49:40.4939915 +0000
- TimeWritten: 2025-12-02 22:49:40.4939915 +0000
+ - S-0-0-00
+ - TEST-COMPUTER$
+ - WORKGROUP
+ - "0x3e5"
+ - WindowsLive:target=virtualapp/didlogical
+ - "0"
+ - "1"
+ - "%%8100"
+ - "0"
+ - 2025-12-23T20:55:56.6615132Z
+ - "1234"
+ TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
+ TimeWritten: 2025-12-23 20:55:56.6898286 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name