diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 9702ffc674..171ba7ffac 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -610,17 +610,15 @@ func (r LoggingReceiverWindowsEventLog) Pipelines(ctx context.Context) ([]otel.R
"poll_interval": "1s",
"ignore_channel_errors": true,
"storage": fileStorageExtensionID(),
+ // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
+ "include_log_record_original": true,
}
var p []otel.Component
var err error
if r.IsDefaultVersion() {
- // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
- receiver_config["include_log_record_original"] = true
p, err = windowsEventLogV1Processors(ctx)
} else if r.RenderAsXML {
- // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
- receiver_config["include_log_record_original"] = true
p, err = windowsEventLogRawXMLProcessors(ctx)
} else {
p, err = windowsEventLogV2Processors(ctx)
@@ -663,22 +661,26 @@ func (p LoggingProcessorWindowsEventLogV1) Processors(ctx context.Context) ([]ot
return windowsEventLogV1Processors(ctx)
}
-func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
- // The winlog input in fluent-bit has a completely different structure.
- // We need to convert the OTel format into the fluent-bit format.
-
- // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System.Task` and non-parsed `Event.RenderingInfo.Message`.
+func parseLogRecordOriginal(deleteOriginalField bool) otel.Component {
+ // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System` fields and non-parsed `Event.RenderingInfo.Message`.
logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
- processors := []otel.Component{
- otel.Transform(
- "log", "log",
- ottl.NewStatements(
- bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
- logRecordOriginal.Delete(),
- ),
- ),
+ statements := []ottl.Statements{
+ bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
+ }
+ if deleteOriginalField {
+ statements = append(statements, logRecordOriginal.Delete())
}
+ return otel.Transform(
+ "log", "log",
+ ottl.NewStatements(statements...),
+ )
+}
+
+func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
+ // The winlog input in fluent-bit has a completely different structure.
+ // We need to convert the OTel format into the fluent-bit format.
+ processors := []otel.Component{parseLogRecordOriginal(true)}
var empty string
modifyFields := &LoggingProcessorModifyFields{
@@ -732,7 +734,7 @@ func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error)
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data.data",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
- return v.Set(ottl.ToValues(v))
+ return v.SetIf(ottl.ToValues(v), v.IsPresent())
},
},
"jsonPayload.TimeGenerated": {
@@ -774,32 +776,25 @@ func (p LoggingProcessorWindowsEventLogV2) Processors(ctx context.Context) ([]ot
func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error) {
// The winevtlog input in fluent-bit has a completely different structure.
// We need to convert the OTel format into the fluent-bit format.
+ processors := []otel.Component{parseLogRecordOriginal(true)}
+
var empty string
- p := &LoggingProcessorModifyFields{
+ var zero string = "0"
+ modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
- "jsonPayload.Channel": {CopyFrom: "jsonPayload.channel"},
- "jsonPayload.Computer": {CopyFrom: "jsonPayload.computer"},
- "jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
- "jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id"},
- "jsonPayload.Keywords": {CopyFrom: "jsonPayload.keywords"},
- "jsonPayload.Level": {
- CopyFrom: "jsonPayload.level",
- MapValues: map[string]string{
- "Critical": "1",
- "Error": "2",
- "Warning": "3",
- "Information": "4",
- },
- Type: "integer",
- MapValuesExclusive: true,
- },
- "jsonPayload.Message": {CopyFrom: "jsonPayload.message"},
- "jsonPayload.Opcode": {CopyFrom: "jsonPayload.opcode", Type: "integer"},
- "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
- "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
- "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
- "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
+ "jsonPayload.Channel": {CopyFrom: "jsonPayload.channel", DefaultValue: &empty},
+ "jsonPayload.Computer": {CopyFrom: "jsonPayload.computer", DefaultValue: &empty},
+ "jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
+ "jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message", DefaultValue: &empty},
+ "jsonPayload.Opcode": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Opcode", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid", DefaultValue: &empty},
+ "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name", DefaultValue: &empty},
+ "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers", Type: "integer", DefaultValue: &zero},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
@@ -813,8 +808,8 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
)
},
},
- "jsonPayload.Task": {CopyFrom: "jsonPayload.task", Type: "integer"},
- "jsonPayload.ThreadId": {CopyFrom: "jsonPayload.execution.thread_id", Type: "integer"},
+ "jsonPayload.Task": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Task", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.ThreadId": {CopyFrom: "jsonPayload.execution.thread_id", Type: "integer", DefaultValue: &zero},
"jsonPayload.TimeCreated": {
CopyFrom: "jsonPayload.system_time",
CustomConvertFunc: formatSystemTime,
@@ -823,8 +818,16 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
CopyFrom: "jsonPayload.security.user_id",
DefaultValue: &empty,
},
+ "jsonPayload.ActivityID": {CopyFrom: "jsonPayload.correlation.activity_id", DefaultValue: &empty},
+ "jsonPayload.RelatedActivityID": {CopyFrom: "jsonPayload.correlation.related_activity_id", DefaultValue: &empty},
+ "jsonPayload.Version": {CopyFrom: "jsonPayload.version", Type: "integer", DefaultValue: &zero},
}}
- return p.Processors(ctx)
+ p, err := modifyFields.Processors(ctx)
+ if err != nil {
+ return nil, err
+ }
+ processors = append(processors, p...)
+ return processors, nil
}
// LoggingProcessorWindowsEventLogRawXML contains the otel logging processors for RenderAsXML=true.
@@ -850,10 +853,13 @@ func windowsEventLogRawXMLProcessors(ctx context.Context) ([]otel.Component, err
// the fields "Message", "System" (raw_xml) and "StringInserts". We replicate that structure in otel
// by setting `include_log_record_original: true` which sets `labels."log.record.original"` with the
// event original XML.
- p := &LoggingProcessorModifyFields{
+ processors := []otel.Component{parseLogRecordOriginal(false)}
+
+ var empty string
+ modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
- "jsonPayload.Message": {CopyFrom: "jsonPayload.message"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message", DefaultValue: &empty},
`jsonPayload.raw_xml`: {MoveFrom: `labels."log.record.original"`},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
@@ -870,7 +876,12 @@ func windowsEventLogRawXMLProcessors(ctx context.Context) ([]otel.Component, err
},
},
}
- return p.Processors(ctx)
+ p, err := modifyFields.Processors(ctx)
+ if err != nil {
+ return nil, err
+ }
+ processors = append(processors, p...)
+ return processors, nil
}
func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit.Component {
@@ -880,6 +891,7 @@ func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit
Fields: map[string]*ModifyField{
"jsonPayload.channel": {OmitIf: `jsonPayload.channel =~ ".*"`},
"jsonPayload.computer": {OmitIf: `jsonPayload.computer =~ ".*"`},
+ "jsonPayload.correlation": {OmitIf: `jsonPayload.correlation != nil`},
"jsonPayload.details": {OmitIf: `jsonPayload.details != nil`},
"jsonPayload.event_data": {OmitIf: `jsonPayload.event_data != nil`},
"jsonPayload.event_id": {OmitIf: `jsonPayload.event_id != nil`},
@@ -893,6 +905,7 @@ func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit
"jsonPayload.security": {OmitIf: `jsonPayload.security != nil`},
"jsonPayload.system_time": {OmitIf: `jsonPayload.system_time =~ ".*"`},
"jsonPayload.task": {OmitIf: `jsonPayload.task =~ ".*"`},
+ "jsonPayload.version": {OmitIf: `jsonPayload.version != nil`},
`labels."log.record.original"`: {OmitIf: `labels."log.record.original" =~ ".*"`},
},
}.Components(ctx, tag, uid)
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
index 2605f78a25..7557955f69 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
@@ -908,7 +908,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1000,7 +1000,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1150,7 +1150,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
index 2605f78a25..7557955f69 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
@@ -908,7 +908,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1000,7 +1000,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1150,7 +1150,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
index abb68130fa..96d0738159 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
index abb68130fa..96d0738159 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
index 3e9c5adb43..ff10284972 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
@@ -807,7 +807,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -899,7 +899,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1049,7 +1049,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
index 3e9c5adb43..ff10284972 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
@@ -807,7 +807,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -899,7 +899,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1049,7 +1049,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
index f5f8dfdade..239440da56 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
@@ -847,7 +847,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -939,7 +939,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1089,7 +1089,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
index f5f8dfdade..239440da56 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
@@ -847,7 +847,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -939,7 +939,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1089,7 +1089,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
index 517446896a..3fb93a1521 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
@@ -928,7 +928,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1020,7 +1020,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1170,7 +1170,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
index 517446896a..3fb93a1521 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
@@ -928,7 +928,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1020,7 +1020,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1170,7 +1170,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
index 83ce118fec..1f4f1ea580 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
@@ -792,7 +792,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -884,7 +884,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1034,7 +1034,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
index 83ce118fec..1f4f1ea580 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
@@ -792,7 +792,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -884,7 +884,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1034,7 +1034,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
index 25a6518c27..e0bc47b44c 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
index 25a6518c27..e0bc47b44c 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
index dde6f7dd43..53c114f814 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
@@ -1391,7 +1391,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1483,7 +1483,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1633,7 +1633,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
index dde6f7dd43..53c114f814 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
@@ -1391,7 +1391,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1483,7 +1483,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1633,7 +1633,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
index a33c463c1a..e519fb0e1a 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
@@ -1041,7 +1041,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1133,7 +1133,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1283,7 +1283,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
index a33c463c1a..e519fb0e1a 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
@@ -1041,7 +1041,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1133,7 +1133,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1283,7 +1283,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index fc149e1798..740fd32a28 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1045,249 +1045,323 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1317,113 +1391,150 @@ processors:
- set(cache["value"], "winlog2") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1515,18 +1626,21 @@ receivers:
windowseventlog/winlog2:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_1:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_2:
channel: Microsoft-Windows-User Control Panel/Operational
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1605,6 +1719,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1615,6 +1730,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1625,6 +1741,7 @@ service:
processors:
- transform/winlog2_2_0
- transform/winlog2_2_1
+ - transform/winlog2_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index fc149e1798..740fd32a28 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1045,249 +1045,323 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1317,113 +1391,150 @@ processors:
- set(cache["value"], "winlog2") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1515,18 +1626,21 @@ receivers:
windowseventlog/winlog2:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_1:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_2:
channel: Microsoft-Windows-User Control Panel/Operational
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1605,6 +1719,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1615,6 +1730,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1625,6 +1741,7 @@ service:
processors:
- transform/winlog2_2_0
- transform/winlog2_2_1
+ - transform/winlog2_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
index 716157d861..345a840ef8 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1045,12 +1045,18 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1060,6 +1066,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1070,42 +1077,19 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1115,6 +1099,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1125,7 +1110,36 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1303,6 +1317,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1313,6 +1328,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
index 716157d861..345a840ef8 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1045,12 +1045,18 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1060,6 +1066,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1070,42 +1077,19 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1115,6 +1099,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1125,7 +1110,36 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1303,6 +1317,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1313,6 +1328,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
index 08786d6562..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
@@ -1,2 +1,4 @@
-{"log.record.original": "179622000x80000000000000002133Systemtest-computer-21470204711024The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931ErrorInfoSystemMicrosoft-Windows-TPM-WMI", "channel":"System","computer":"test-computer","event_data":{"data":[{"HResult":"-2147020471"},{"UpdateType":"1024"}]},"event_id":{"id":1796,"qualifiers":0},"execution":{"process_id":6456,"thread_id":6424},"keywords":["0x8000000000000000"],"level":"Error","message":"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931","opcode":"Info","provider":{"event_source":"","guid":"{11111111}","name":"Microsoft-Windows-TPM-WMI"},"record_id":2133,"security":{"user_id":"S-1-5-18"},"system_time":"2025-12-02T22:49:40.4939915Z","task":"0"}
-{"log.record.original": "703604000x80800000000000002373Systemtest-computerNetwork Setup Servicestopped12345The Network Setup Service service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Network Setup Service"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":16384},"execution":{"process_id":780,"thread_id":7916},"keywords":["Classic"],"level":"Information","message":"The Network Setup Service service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":2373,"system_time":"2025-12-03T01:49:43.5958197Z","task":"0"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
index 00e83bf206..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
@@ -1,4 +1,16 @@
- entries:
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
- jsonPayload:
message: This processor is only used for testing otel.
labels:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
index 8b50f91656..c005d26636 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
@@ -1,10 +1,76 @@
- entries:
- jsonPayload:
- Message: The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
StringInserts:
- - "-2147020471"
- - "1024"
- raw_xml: 179622000x80000000000000002133Systemtest-computer-21470204711024The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931ErrorInfoSystemMicrosoft-Windows-TPM-WMI
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ raw_xml: |-
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -15,12 +81,109 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Message: The Network Setup Service service entered the stopped state.
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
StringInserts:
- - Network Setup Service
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ raw_xml: |-
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Message: The Software Protection service entered the stopped state.
+ StringInserts:
+ - Software Protection
- stopped
- - "12345"
- raw_xml: 703604000x80800000000000002373Systemtest-computerNetwork Setup Servicestopped12345The Network Setup Service service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic
+ - 7300700070007300760063002F0031000000
+ raw_xml: 703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Message: The Software Protection service entered the running state.
+ StringInserts:
+ - Software Protection
+ - running
+ - 7300700070007300760063002F0034000000
+ raw_xml: 703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
index 8b32274e92..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
@@ -1,3 +1,4 @@
-{"log.record.original":"765404000x80800000000000002257Systemtest-computerClient License Service (ClipSVC)running43006C00690070005300560043002F0034000000The Client License Service (ClipSVC) service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","event_data":{"binary":"43006C00690070005300560043002F0034000000","data":[{"param1":"Client License Service (ClipSVC)"},{"param2":"running"}]},"event_id":{"id":7654,"qualifiers":12345},"execution":{"process_id":780,"thread_id":7548},"keywords":["Classic"],"level":"Information","message":"The Client License Service (ClipSVC) service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2257,"system_time":"2025-12-02T23:43:11.8975092Z","task":"0"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Success"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Failure"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
index 59ba64238b..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
@@ -17,6 +17,12 @@
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/transformation_test
timestamp: now
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
partialSuccess: true
resource:
labels: {}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
index 5205f2e7dd..2a0887f766 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
@@ -1,21 +1,56 @@
- entries:
- jsonPayload:
- Channel: System
+ Channel: Security
ComputerName: test-computer
- Data: 43006c00690070005300560043002f0034000000
- EventCategory: 0
- EventID: 7654
- EventType: Information
- Message: The Client License Service (ClipSVC) service entered the running state.
- Qualifiers: 12345
- RecordNumber: 2257
+ Data: ""
+ EventCategory: 56789
+ EventID: 4567
+ EventType: SuccessAudit
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Qualifiers: 0
+ RecordNumber: 34567
Sid: ""
- SourceName: Service Control Manager
+ SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- - Client License Service (ClipSVC)
- - running
- TimeGenerated: 2025-12-02 23:43:11.8975092 +0000
- TimeWritten: 2025-12-02 23:43:11.8975092 +0000
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ TimeGenerated: 2026-01-16 18:45:59.5782153 +0000
+ TimeWritten: 2026-01-16 18:45:59.5782153 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -29,38 +64,54 @@
Channel: Security
ComputerName: test-computer
Data: ""
- EventCategory: 13824
- EventID: 9876
- EventType: SuccessAudit
+ EventCategory: 56789
+ EventID: 4567
+ EventType: FailureAudit
Message: |-
- Credential Manager credentials were read.
+ Special privileges assigned to new logon.
Subject:
- Security ID: S-0-0-0
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
Qualifiers: 0
- RecordNumber: 24007
+ RecordNumber: 34567
Sid: ""
SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
- TimeWritten: 2025-12-23 20:55:56.6898286 +0000
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ TimeGenerated: 2026-01-16 18:45:59.5782153 +0000
+ TimeWritten: 2026-01-16 18:45:59.5782153 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -71,41 +122,48 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: Security
+ Channel: System
ComputerName: test-computer
- Data: ""
- EventCategory: 13824
- EventID: 9876
- EventType: FailureAudit
- Message: |-
- Credential Manager credentials were read.
-
- Subject:
- Security ID: S-0-0-0
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
-
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
- Qualifiers: 0
- RecordNumber: 24007
+ Data: 7300700070007300760063002f0031000000
+ EventCategory: 0
+ EventID: 7036
+ EventType: Information
+ Message: The Software Protection service entered the stopped state.
+ Qualifiers: 12345
+ RecordNumber: 11223
Sid: ""
- SourceName: Microsoft-Windows-Security-Auditing
+ SourceName: Service Control Manager
StringInserts:
- - S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
- TimeWritten: 2025-12-23 20:55:56.6898286 +0000
+ - Software Protection
+ - stopped
+ TimeGenerated: 2025-12-14 05:26:29.0709018 +0000
+ TimeWritten: 2025-12-14 05:26:29.0709018 +0000
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Channel: System
+ ComputerName: test-computer
+ Data: 7300700070007300760063002f0034000000
+ EventCategory: 0
+ EventID: 7036
+ EventType: Information
+ Message: The Software Protection service entered the running state.
+ Qualifiers: 12345
+ RecordNumber: 22334
+ Sid: ""
+ SourceName: Service Control Manager
+ StringInserts:
+ - Software Protection
+ - running
+ TimeGenerated: 2025-12-14 05:25:55.5387001 +0000
+ TimeWritten: 2025-12-14 05:25:55.5387001 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
index 2ce9b58bb3..8b219d3fc6 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
@@ -1,6 +1,13 @@
# This test is only intended to verify the Otel transformations required to generate
# a log entry output format similar to the fluent-bit windows event log receiver.
+# When setting "include_log_record_original: true" the "windowseventlogreceiver" sets
+# `attributes."log.record.original"` with the original XML. We replicate this behaviour
+# in the test by moving the parsed "log.record.original" JSON field to "labels" (otel "attributes").
- type: parse_json
time_key: time
time_format: "%Y-%m-%dT%H:%M:%S.%L%z"
+- type: modify_fields
+ fields:
+ labels."log.record.original":
+ move_from: jsonPayload."log.record.original"
- type: windows_event_log_v2
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
index 4d185a9ed4..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
@@ -1,6 +1,4 @@
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Windows Modules Installer"},{"param2":"running"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Windows Modules Installer service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:38:45.026077400Z", "time":"2025-07-02T20:38:45.026077400Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:39:32.339006100Z", "time":"2025-07-02T20:39:32.339006100Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Network Setup Service"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":16384},"execution":{"process_id":780,"thread_id":8328},"keywords":["Classic"],"level":"Information","message":"The Network Setup Service service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":2273,"system_time":"2025-12-02T23:57:13.2944449Z","task":"0"}
-{"channel":"Application","computer":"test-computer","event_data":{"data":[{"":"2025-12-09T22:44:19Z"},{"":"RulesEngine"}]},"event_id":{"id":16384,"qualifiers":16384},"execution":{"process_id":0,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine.","opcode":"0","provider":{"event_source":"Software Protection Platform Service","guid":"{11111111}","name":"Microsoft-Windows-Security-SPP"},"record_id":24567,"system_time":"2025-12-02T23:45:19.6366777Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"param1":"Google Cloud Ops Agent - Logging Agent"},{"param2":"8856"},{"param3":"5212"}]},"event_id":{"id":7039,"qualifiers":32768},"execution":{"process_id":780,"thread_id":7152},"keywords":["Classic"],"level":"Warning","message":"A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.\n\n Note that if this service is configured to start under a debugger, this behavior is expected.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2285,"system_time":"2025-12-03T00:13:07.2682140Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"HResult":"-2147020471"},{"UpdateType":"1024"}]},"event_id":{"id":1796,"qualifiers":0},"execution":{"process_id":6456,"thread_id":6424},"keywords":["0x8000000000000000"],"level":"Error","message":"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931","opcode":"Info","provider":{"event_source":"","guid":"{7d5387b0-cbe0-11da-a94d-0800200c9a66}","name":"Microsoft-Windows-TPM-WMI"},"record_id":2133,"security":{"user_id":"S-1-5-18"},"system_time":"2025-12-02T22:49:40.4939915Z","task":"0"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
index 5d961b8dd7..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
@@ -1,16 +1,4 @@
- entries:
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:38:45.026077400Z
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:39:32.339006100Z
- jsonPayload:
message: This processor is only used for testing otel.
labels:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
index 87f467a0a9..6658035149 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
@@ -1,26 +1,62 @@
- entries:
- jsonPayload:
- Channel: System
+ ActivityID: "{000000000-0000-0000-0000-000000000000}"
+ Channel: Security
Computer: test-computer
- EventID: 4444
- EventRecordID: 1111
- Keywords:
- - Classic
- Level: 4
- Message: The Windows Modules Installer service entered the running state.
+ EventID: 4567
+ EventRecordID: 34567
+ Keywords: "0x8020000000000000"
+ Level: 0
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
Opcode: 0
- ProcessID: 222
- ProviderGuid: "{11111111}"
- ProviderName: Service Control Manager
- Qualifiers: 33333
+ ProcessID: 820
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
+ ProviderName: Microsoft-Windows-Security-Auditing
+ Qualifiers: 0
+ RelatedActivityID: ""
StringInserts:
- - Windows Modules Installer
- - running
- - "12345"
- Task: 0
- ThreadId: 0
- TimeCreated: 2025-07-02 20:38:45.0260774 +0000
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Task: 56789
+ ThreadId: 6080
+ TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -29,29 +65,65 @@
instance_id: test-instance-id
zone: test-zone
type: gce_instance
- timestamp: 2025-07-02T20:38:45.026077400Z
+ timestamp: now
- jsonPayload:
- Channel: System
+ ActivityID: "{000000000-0000-0000-0000-000000000000}"
+ Channel: Security
Computer: test-computer
- EventID: 4444
- EventRecordID: 1111
- Keywords:
- - Classic
- Level: 4
- Message: The Software Protection service entered the stopped state.
+ EventID: 4567
+ EventRecordID: 34567
+ Keywords: "0x8020000000000000"
+ Level: 0
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
Opcode: 0
- ProcessID: 222
- ProviderGuid: "{11111111}"
- ProviderName: Service Control Manager
- Qualifiers: 33333
+ ProcessID: 820
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
+ ProviderName: Microsoft-Windows-Security-Auditing
+ Qualifiers: 0
+ RelatedActivityID: ""
StringInserts:
- - Software Protection
- - stopped
- - "12345"
- Task: 0
- ThreadId: 0
- TimeCreated: 2025-07-02 20:39:32.3390061 +0000
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Task: 56789
+ ThreadId: 6080
+ TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -60,59 +132,31 @@
instance_id: test-instance-id
zone: test-zone
type: gce_instance
- timestamp: 2025-07-02T20:39:32.339006100Z
+ timestamp: now
- jsonPayload:
+ ActivityID: ""
Channel: System
Computer: test-computer
EventID: 7036
- EventRecordID: 2273
- Keywords:
- - Classic
+ EventRecordID: 11223
+ Keywords: "0x8080000000000000"
Level: 4
- Message: The Network Setup Service service entered the running state.
+ Message: The Software Protection service entered the stopped state.
Opcode: 0
- ProcessID: 780
- ProviderGuid: "{11111111}"
+ ProcessID: 789
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Service Control Manager
- Qualifiers: 16384
+ Qualifiers: 12345
+ RelatedActivityID: ""
StringInserts:
- - Network Setup Service
- - running
- - "12345"
- Task: 0
- ThreadId: 8328
- TimeCreated: 2025-12-02 23:57:13.2944449 +0000
- UserId: ""
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: now
- - jsonPayload:
- Channel: Application
- Computer: test-computer
- EventID: 16384
- EventRecordID: 24567
- Keywords:
- - Classic
- Level: 4
- Message: "Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine."
- Opcode: 0
- ProcessID: 0
- ProviderGuid: "{11111111}"
- ProviderName: Microsoft-Windows-Security-SPP
- Qualifiers: 16384
- StringInserts:
- - 2025-12-09T22:44:19Z
- - RulesEngine
+ - Software Protection
+ - stopped
+ - 7300700070007300760063002F0031000000
Task: 0
- ThreadId: 0
- TimeCreated: 2025-12-02 23:45:19.6366777 +0000
+ ThreadId: 5678
+ TimeCreated: 2025-12-14 05:26:29.0709018 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -123,60 +167,29 @@
type: gce_instance
timestamp: now
- jsonPayload:
+ ActivityID: ""
Channel: System
Computer: test-computer
- EventID: 7039
- EventRecordID: 2285
- Keywords:
- - Classic
- Level: 3
- Message: |-
- A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.
-
- Note that if this service is configured to start under a debugger, this behavior is expected.
+ EventID: 7036
+ EventRecordID: 22334
+ Keywords: "0x8080000000000000"
+ Level: 4
+ Message: The Software Protection service entered the running state.
Opcode: 0
- ProcessID: 780
- ProviderGuid: "{555908d1-a6d7-4695-8e1e-26931d2012f4}"
+ ProcessID: 789
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Service Control Manager
- Qualifiers: 32768
+ Qualifiers: 12345
+ RelatedActivityID: ""
StringInserts:
- - Google Cloud Ops Agent - Logging Agent
- - "8856"
- - "5212"
+ - Software Protection
+ - running
+ - 7300700070007300760063002F0034000000
Task: 0
- ThreadId: 7152
- TimeCreated: 2025-12-03 00:13:07.268214 +0000
+ ThreadId: 9876
+ TimeCreated: 2025-12-14 05:25:55.5387001 +0000
UserId: ""
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: now
- - jsonPayload:
- Channel: System
- Computer: test-computer
- EventID: 1796
- EventRecordID: 2133
- Keywords:
- - "0x8000000000000000"
- Level: 2
- Message: The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
- Opcode: Info
- ProcessID: 6456
- ProviderGuid: "{7d5387b0-cbe0-11da-a94d-0800200c9a66}"
- ProviderName: Microsoft-Windows-TPM-WMI
- Qualifiers: 0
- StringInserts:
- - "-2147020471"
- - "1024"
- Task: 0
- ThreadId: 6424
- TimeCreated: 2025-12-02 22:49:40.4939915 +0000
- UserId: S-1-5-18
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name