Skip to content

[confgenerator] Fix Windows Event Log V2 and Raw receivers in Otel Logging.#2219

Merged
franciscovalentecastro merged 14 commits into
masterfrom
fcovalente-fix-wineventlog-v2
Feb 25, 2026
Merged

[confgenerator] Fix Windows Event Log V2 and Raw receivers in Otel Logging.#2219
franciscovalentecastro merged 14 commits into
masterfrom
fcovalente-fix-wineventlog-v2

Conversation

@franciscovalentecastro
Copy link
Copy Markdown
Contributor

@franciscovalentecastro franciscovalentecastro commented Feb 23, 2026
edited
Loading

Description

This PR fixes the following fields in the windows_event_log_v2 and windows_event_log_raw_xml receivers to match it's fluent-bit counterpart. Improved the transformation test cases. This is a followup to #2198.

Some details :

V2 :

  • Level, Opcode, Tasks and Keywords now uses parsed_xml.Event.System.* fields to show non-rendered versions of this fields.
  • Message now uses parsed_xml.Event.RenderingInfo.Message to show non-parsed security messages.
  • ActivityID, RelatedActivityID and Version are now exposed by the OTel windowseventlogreceiver.

Raw :

  • Message now uses parsed_xml.Event.RenderingInfo.Message to show non-parsed security messages.

Related issue

b/413406335

How has this been tested?

Checklist:

  • Unit tests
    • Unit tests do not apply.
    • Unit tests have been added/modified and passed for this PR.
  • Integration tests
    • Integration tests do not apply.
    • Integration tests have been added/modified and passed for this PR.
  • Documentation
    • This PR introduces no user visible changes.
    • This PR introduces user visible changes and the corresponding documentation change has been made.
  • Minor version bump
    • This PR introduces no new features.
    • This PR introduces new features, and there is a separate PR to bump the minor version since the last release already.
    • This PR bumps the version.

@franciscovalentecastro franciscovalentecastro requested review from a team and avilevy18 and removed request for a team February 24, 2026 15:31
@franciscovalentecastro franciscovalentecastro force-pushed the fcovalente-fix-wineventlog-v2 branch from e905b5a to 87147bd Compare February 24, 2026 16:01
avilevy18
avilevy18 reviewed Feb 24, 2026
View reviewed changes
Comment thread confgenerator/logging_receivers.go Outdated
"jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
"jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
"jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
"jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer"},
Copy link
Copy Markdown
Contributor

@avilevy18 avilevy18 Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is MapValues and MapValuesExclusive not needed anymore?

Copy link
Copy Markdown
Contributor Author

@franciscovalentecastro franciscovalentecastro Feb 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MapValues or MapValuesExclusive are not required anymore to "correctly" generate the jsonPayload.Level field on "integer format" (which fluent-bit does by default, which we are replicating here).

jsonPayload.parsed_xml.Event.System.Level is already the original integer field (non-rendered, non-human readable format) so there is no mapping needed.

[Explanation]
There are two versions of Level generated in a "Raw XML" windows even log (see tests for examples), one is Event.System.Level (which is an integer from 1 to 4) and Event.RenderedInfo.Level (which is a "human readable" string like "Info"). We used to do this mapping manually, because the OTel windowseventlog receiver exposes only the "human readable" version by default.

There are ways to expose the non-rendered fields (see #2198) in the receiver, but we chose currently to use the original XML to obtain the "non-rendered" fields.

avilevy18
avilevy18 approved these changes Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@avilevy18 avilevy18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@franciscovalentecastro franciscovalentecastro force-pushed the fcovalente-fix-wineventlog-v2 branch from 7d38072 to c18fa4a Compare February 24, 2026 23:23
@franciscovalentecastro franciscovalentecastro merged commit 157e161 into master Feb 25, 2026
72 of 79 checks passed
@franciscovalentecastro franciscovalentecastro deleted the fcovalente-fix-wineventlog-v2 branch February 25, 2026 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avilevy18 avilevy18 avilevy18 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franciscovalentecastro @avilevy18