From 66179de45f74a0894b5f7c432aed7b774b66e411 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Thu, 19 Feb 2026 22:34:07 +0000
Subject: [PATCH 01/14] Fix `ActivityID`, `RelatedActivityID`, `Version` and
`Keywords`.
---
confgenerator/logging_receivers.go | 29 ++-
.../config.yaml | 7 +
.../input.log | 9 +-
.../output_fluentbit.yaml | 18 --
.../output_otel.yaml | 213 +++++++-----------
5 files changed, 112 insertions(+), 164 deletions(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 9702ffc674..7bd5765aee 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -623,6 +623,8 @@ func (r LoggingReceiverWindowsEventLog) Pipelines(ctx context.Context) ([]otel.R
receiver_config["include_log_record_original"] = true
p, err = windowsEventLogRawXMLProcessors(ctx)
} else {
+ // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
+ receiver_config["include_log_record_original"] = true
p, err = windowsEventLogV2Processors(ctx)
}
if err != nil {
@@ -774,15 +776,28 @@ func (p LoggingProcessorWindowsEventLogV2) Processors(ctx context.Context) ([]ot
func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error) {
// The winevtlog input in fluent-bit has a completely different structure.
// We need to convert the OTel format into the fluent-bit format.
+
+ // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System.Task` and non-parsed `Event.RenderingInfo.Message`.
+ logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
+ bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
+ processors := []otel.Component{
+ otel.Transform(
+ "log", "log",
+ ottl.NewStatements(
+ bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
+ logRecordOriginal.Delete(),
+ ),
+ ),
+ }
var empty string
- p := &LoggingProcessorModifyFields{
+ modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
"jsonPayload.Channel": {CopyFrom: "jsonPayload.channel"},
"jsonPayload.Computer": {CopyFrom: "jsonPayload.computer"},
"jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
"jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id"},
- "jsonPayload.Keywords": {CopyFrom: "jsonPayload.keywords"},
+ "jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
"jsonPayload.Level": {
CopyFrom: "jsonPayload.level",
MapValues: map[string]string{
@@ -823,8 +838,16 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
CopyFrom: "jsonPayload.security.user_id",
DefaultValue: &empty,
},
+ "jsonPayload.ActivityID": {CopyFrom: "jsonPayload.correlation.activity_id"},
+ "jsonPayload.RelatedActivityID": {CopyFrom: "jsonPayload.correlation.related_activity_id"},
+ "jsonPayload.Version": {CopyFrom: "jsonPayload.version", Type: "integer"},
}}
- return p.Processors(ctx)
+ p, err := modifyFields.Processors(ctx)
+ if err != nil {
+ return nil, err
+ }
+ processors = append(processors, p...)
+ return processors, nil
}
// LoggingProcessorWindowsEventLogRawXML contains the otel logging processors for RenderAsXML=true.
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
index 2ce9b58bb3..8b219d3fc6 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/config.yaml
@@ -1,6 +1,13 @@
# This test is only intended to verify the Otel transformations required to generate
# a log entry output format similar to the fluent-bit windows event log receiver.
+# When setting "include_log_record_original: true" the "windowseventlogreceiver" sets
+# `attributes."log.record.original"` with the original XML. We replicate this behaviour
+# in the test by moving the parsed "log.record.original" JSON field to "labels" (otel "attributes").
- type: parse_json
time_key: time
time_format: "%Y-%m-%dT%H:%M:%S.%L%z"
+- type: modify_fields
+ fields:
+ labels."log.record.original":
+ move_from: jsonPayload."log.record.original"
- type: windows_event_log_v2
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
index 4d185a9ed4..8b32274e92 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
@@ -1,6 +1,3 @@
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Windows Modules Installer"},{"param2":"running"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Windows Modules Installer service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:38:45.026077400Z", "time":"2025-07-02T20:38:45.026077400Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":4444,"qualifiers":33333},"execution":{"process_id":222,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":1111,"system_time":"2025-07-02T20:39:32.339006100Z", "time":"2025-07-02T20:39:32.339006100Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Network Setup Service"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":16384},"execution":{"process_id":780,"thread_id":8328},"keywords":["Classic"],"level":"Information","message":"The Network Setup Service service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":2273,"system_time":"2025-12-02T23:57:13.2944449Z","task":"0"}
-{"channel":"Application","computer":"test-computer","event_data":{"data":[{"":"2025-12-09T22:44:19Z"},{"":"RulesEngine"}]},"event_id":{"id":16384,"qualifiers":16384},"execution":{"process_id":0,"thread_id":0},"keywords":["Classic"],"level":"Information","message":"Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine.","opcode":"0","provider":{"event_source":"Software Protection Platform Service","guid":"{11111111}","name":"Microsoft-Windows-Security-SPP"},"record_id":24567,"system_time":"2025-12-02T23:45:19.6366777Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"param1":"Google Cloud Ops Agent - Logging Agent"},{"param2":"8856"},{"param3":"5212"}]},"event_id":{"id":7039,"qualifiers":32768},"execution":{"process_id":780,"thread_id":7152},"keywords":["Classic"],"level":"Warning","message":"A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.\n\n Note that if this service is configured to start under a debugger, this behavior is expected.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2285,"system_time":"2025-12-03T00:13:07.2682140Z","task":"0"}
-{"channel":"System","computer":"test-computer","event_data":{"data":[{"HResult":"-2147020471"},{"UpdateType":"1024"}]},"event_id":{"id":1796,"qualifiers":0},"execution":{"process_id":6456,"thread_id":6424},"keywords":["0x8000000000000000"],"level":"Error","message":"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931","opcode":"Info","provider":{"event_source":"","guid":"{7d5387b0-cbe0-11da-a94d-0800200c9a66}","name":"Microsoft-Windows-TPM-WMI"},"record_id":2133,"security":{"user_id":"S-1-5-18"},"system_time":"2025-12-02T22:49:40.4939915Z","task":"0"}
+{"log.record.original":"765404000x80800000000000002257Systemtest-computerClient License Service (ClipSVC)running43006C00690070005300560043002F0034000000The Client License Service (ClipSVC) service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","event_data":{"binary":"43006C00690070005300560043002F0034000000","data":[{"param1":"Client License Service (ClipSVC)"},{"param2":"running"}]},"event_id":{"id":7654,"qualifiers":12345},"execution":{"process_id":780,"thread_id":7548},"keywords":["Classic"],"level":"Information","message":"The Client License Service (ClipSVC) service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2257,"system_time":"2025-12-02T23:43:11.8975092Z","task":"0"}
+{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Success"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
+{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Failure"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
index 5d961b8dd7..59ba64238b 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
@@ -1,22 +1,4 @@
- entries:
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:38:45.026077400Z
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: 2025-07-02T20:39:32.339006100Z
- - jsonPayload:
- message: This processor is only used for testing otel.
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/transformation_test
- timestamp: now
- jsonPayload:
message: This processor is only used for testing otel.
labels:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
index 87f467a0a9..70b3002de9 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
@@ -2,86 +2,23 @@
- jsonPayload:
Channel: System
Computer: test-computer
- EventID: 4444
- EventRecordID: 1111
- Keywords:
- - Classic
+ EventID: 7654
+ EventRecordID: 2257
+ Keywords: "0x8080000000000000"
Level: 4
- Message: The Windows Modules Installer service entered the running state.
- Opcode: 0
- ProcessID: 222
- ProviderGuid: "{11111111}"
- ProviderName: Service Control Manager
- Qualifiers: 33333
- StringInserts:
- - Windows Modules Installer
- - running
- - "12345"
- Task: 0
- ThreadId: 0
- TimeCreated: 2025-07-02 20:38:45.0260774 +0000
- UserId: ""
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: 2025-07-02T20:38:45.026077400Z
- - jsonPayload:
- Channel: System
- Computer: test-computer
- EventID: 4444
- EventRecordID: 1111
- Keywords:
- - Classic
- Level: 4
- Message: The Software Protection service entered the stopped state.
- Opcode: 0
- ProcessID: 222
- ProviderGuid: "{11111111}"
- ProviderName: Service Control Manager
- Qualifiers: 33333
- StringInserts:
- - Software Protection
- - stopped
- - "12345"
- Task: 0
- ThreadId: 0
- TimeCreated: 2025-07-02 20:39:32.3390061 +0000
- UserId: ""
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: 2025-07-02T20:39:32.339006100Z
- - jsonPayload:
- Channel: System
- Computer: test-computer
- EventID: 7036
- EventRecordID: 2273
- Keywords:
- - Classic
- Level: 4
- Message: The Network Setup Service service entered the running state.
+ Message: The Client License Service (ClipSVC) service entered the running state.
Opcode: 0
ProcessID: 780
- ProviderGuid: "{11111111}"
+ ProviderGuid: "{555908d1-a6d7-4695-8e1e-26931d2012f4}"
ProviderName: Service Control Manager
- Qualifiers: 16384
+ Qualifiers: 12345
StringInserts:
- - Network Setup Service
+ - Client License Service (ClipSVC)
- running
- - "12345"
+ - 43006C00690070005300560043002F0034000000
Task: 0
- ThreadId: 8328
- TimeCreated: 2025-12-02 23:57:13.2944449 +0000
+ ThreadId: 7548
+ TimeCreated: 2025-12-02 23:43:11.8975092 +0000
UserId: ""
labels:
compute.googleapis.com/resource_name: hostname
@@ -93,59 +30,43 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: Application
+ Channel: Security
Computer: test-computer
- EventID: 16384
- EventRecordID: 24567
- Keywords:
- - Classic
+ EventID: 9876
+ EventRecordID: 24007
+ Keywords: "0x8020000000000000"
Level: 4
- Message: "Successfully scheduled Software Protection service for re-start at 2025-12-09T22:44:19Z. Reason: RulesEngine."
- Opcode: 0
- ProcessID: 0
- ProviderGuid: "{11111111}"
- ProviderName: Microsoft-Windows-Security-SPP
- Qualifiers: 16384
- StringInserts:
- - 2025-12-09T22:44:19Z
- - RulesEngine
- Task: 0
- ThreadId: 0
- TimeCreated: 2025-12-02 23:45:19.6366777 +0000
- UserId: ""
- labels:
- compute.googleapis.com/resource_name: hostname
- logName: projects/my-project/logs/my-log-name
- resource:
- labels:
- instance_id: test-instance-id
- zone: test-zone
- type: gce_instance
- timestamp: now
- - jsonPayload:
- Channel: System
- Computer: test-computer
- EventID: 7039
- EventRecordID: 2285
- Keywords:
- - Classic
- Level: 3
Message: |-
- A service process other than the one launched by the Service Control Manager connected when starting the Google Cloud Ops Agent - Logging Agent service. The Service Control Manager launched process 8856 and process 5212 connected instead.
+ Credential Manager credentials were read.
- Note that if this service is configured to start under a debugger, this behavior is expected.
- Opcode: 0
- ProcessID: 780
- ProviderGuid: "{555908d1-a6d7-4695-8e1e-26931d2012f4}"
- ProviderName: Service Control Manager
- Qualifiers: 32768
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: TEST-COMPUTER$
+ Account Domain: WORKGROUP
+ Logon ID: 0x3E5
+ Read Operation: Enumerate Credentials
+
+ This event occurs when a user performs a read operation on stored credentials in Credential Manager.
+ Opcode: Info
+ ProcessID: 812
+ ProviderGuid: "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+ ProviderName: Microsoft-Windows-Security-Auditing
+ Qualifiers: 0
StringInserts:
- - Google Cloud Ops Agent - Logging Agent
- - "8856"
- - "5212"
- Task: 0
- ThreadId: 7152
- TimeCreated: 2025-12-03 00:13:07.268214 +0000
+ - S-0-0-00
+ - TEST-COMPUTER$
+ - WORKGROUP
+ - "0x3e5"
+ - WindowsLive:target=virtualapp/didlogical
+ - "0"
+ - "1"
+ - "%%8100"
+ - "0"
+ - 2025-12-23T20:55:56.6615132Z
+ - "1234"
+ Task: User Account Management
+ ThreadId: 2820
+ TimeCreated: 2025-12-23 20:55:56.6898286 +0000
UserId: ""
labels:
compute.googleapis.com/resource_name: hostname
@@ -157,26 +78,44 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: System
+ Channel: Security
Computer: test-computer
- EventID: 1796
- EventRecordID: 2133
- Keywords:
- - "0x8000000000000000"
- Level: 2
- Message: The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
+ EventID: 9876
+ EventRecordID: 24007
+ Keywords: "0x8020000000000000"
+ Level: 4
+ Message: |-
+ Credential Manager credentials were read.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: TEST-COMPUTER$
+ Account Domain: WORKGROUP
+ Logon ID: 0x3E5
+ Read Operation: Enumerate Credentials
+
+ This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Opcode: Info
- ProcessID: 6456
- ProviderGuid: "{7d5387b0-cbe0-11da-a94d-0800200c9a66}"
- ProviderName: Microsoft-Windows-TPM-WMI
+ ProcessID: 812
+ ProviderGuid: "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+ ProviderName: Microsoft-Windows-Security-Auditing
Qualifiers: 0
StringInserts:
- - "-2147020471"
- - "1024"
- Task: 0
- ThreadId: 6424
- TimeCreated: 2025-12-02 22:49:40.4939915 +0000
- UserId: S-1-5-18
+ - S-0-0-00
+ - TEST-COMPUTER$
+ - WORKGROUP
+ - "0x3e5"
+ - WindowsLive:target=virtualapp/didlogical
+ - "0"
+ - "1"
+ - "%%8100"
+ - "0"
+ - 2025-12-23T20:55:56.6615132Z
+ - "1234"
+ Task: User Account Management
+ ThreadId: 2820
+ TimeCreated: 2025-12-23 20:55:56.6898286 +0000
+ UserId: ""
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
From d224a50f3f559abb0c75a6c6e4b410056a79cf3a Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Mon, 23 Feb 2026 21:48:40 +0000
Subject: [PATCH 02/14] Use non parsed `Message` in all windows receivers.
---
confgenerator/logging_receivers.go | 68 +++++++++++++++---------------
1 file changed, 33 insertions(+), 35 deletions(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 7bd5765aee..ddf01f1b11 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -610,21 +610,17 @@ func (r LoggingReceiverWindowsEventLog) Pipelines(ctx context.Context) ([]otel.R
"poll_interval": "1s",
"ignore_channel_errors": true,
"storage": fileStorageExtensionID(),
+ // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
+ "include_log_record_original": true,
}
var p []otel.Component
var err error
if r.IsDefaultVersion() {
- // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
- receiver_config["include_log_record_original"] = true
p, err = windowsEventLogV1Processors(ctx)
} else if r.RenderAsXML {
- // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
- receiver_config["include_log_record_original"] = true
p, err = windowsEventLogRawXMLProcessors(ctx)
} else {
- // When "include_log_record_original = true", the event original XML string is set in `attributes."log.record.original"`.
- receiver_config["include_log_record_original"] = true
p, err = windowsEventLogV2Processors(ctx)
}
if err != nil {
@@ -665,22 +661,26 @@ func (p LoggingProcessorWindowsEventLogV1) Processors(ctx context.Context) ([]ot
return windowsEventLogV1Processors(ctx)
}
-func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
- // The winlog input in fluent-bit has a completely different structure.
- // We need to convert the OTel format into the fluent-bit format.
-
- // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System.Task` and non-parsed `Event.RenderingInfo.Message`.
+func parseLogRecordOriginal(deleteOriginalField bool) otel.Component {
+ // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System` fiels and non-parsed `Event.RenderingInfo.Message`.
logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
- processors := []otel.Component{
- otel.Transform(
- "log", "log",
- ottl.NewStatements(
- bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
- logRecordOriginal.Delete(),
- ),
- ),
+ statements := []ottl.Statements{
+ bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
+ }
+ if deleteOriginalField {
+ statements = append(statements, logRecordOriginal.Delete())
}
+ return otel.Transform(
+ "log", "log",
+ ottl.NewStatements(statements...),
+ )
+}
+
+func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
+ // The winlog input in fluent-bit has a completely different structure.
+ // We need to convert the OTel format into the fluent-bit format.
+ processors := []otel.Component{parseLogRecordOriginal(true)}
var empty string
modifyFields := &LoggingProcessorModifyFields{
@@ -776,19 +776,8 @@ func (p LoggingProcessorWindowsEventLogV2) Processors(ctx context.Context) ([]ot
func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error) {
// The winevtlog input in fluent-bit has a completely different structure.
// We need to convert the OTel format into the fluent-bit format.
+ processors := []otel.Component{parseLogRecordOriginal(true)}
- // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System.Task` and non-parsed `Event.RenderingInfo.Message`.
- logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
- bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
- processors := []otel.Component{
- otel.Transform(
- "log", "log",
- ottl.NewStatements(
- bodyParsedXML.SetIf(ottl.ParseSimplifiedXML(logRecordOriginal), logRecordOriginal.IsPresent()),
- logRecordOriginal.Delete(),
- ),
- ),
- }
var empty string
modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
@@ -809,7 +798,7 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
Type: "integer",
MapValuesExclusive: true,
},
- "jsonPayload.Message": {CopyFrom: "jsonPayload.message"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
"jsonPayload.Opcode": {CopyFrom: "jsonPayload.opcode", Type: "integer"},
"jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
"jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
@@ -873,10 +862,12 @@ func windowsEventLogRawXMLProcessors(ctx context.Context) ([]otel.Component, err
// the fields "Message", "System" (raw_xml) and "StringInserts". We replicate that structure in otel
// by setting `include_log_record_original: true` which sets `labels."log.record.original"` with the
// event original XML.
- p := &LoggingProcessorModifyFields{
+ processors := []otel.Component{parseLogRecordOriginal(false)}
+
+ modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
- "jsonPayload.Message": {CopyFrom: "jsonPayload.message"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
`jsonPayload.raw_xml`: {MoveFrom: `labels."log.record.original"`},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
@@ -893,7 +884,12 @@ func windowsEventLogRawXMLProcessors(ctx context.Context) ([]otel.Component, err
},
},
}
- return p.Processors(ctx)
+ p, err := modifyFields.Processors(ctx)
+ if err != nil {
+ return nil, err
+ }
+ processors = append(processors, p...)
+ return processors, nil
}
func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit.Component {
@@ -903,6 +899,7 @@ func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit
Fields: map[string]*ModifyField{
"jsonPayload.channel": {OmitIf: `jsonPayload.channel =~ ".*"`},
"jsonPayload.computer": {OmitIf: `jsonPayload.computer =~ ".*"`},
+ "jsonPayload.correlation": {OmitIf: `jsonPayload.correlation != nil`},
"jsonPayload.details": {OmitIf: `jsonPayload.details != nil`},
"jsonPayload.event_data": {OmitIf: `jsonPayload.event_data != nil`},
"jsonPayload.event_id": {OmitIf: `jsonPayload.event_id != nil`},
@@ -916,6 +913,7 @@ func noFluentBitImplementation(ctx context.Context, tag, uid string) []fluentbit
"jsonPayload.security": {OmitIf: `jsonPayload.security != nil`},
"jsonPayload.system_time": {OmitIf: `jsonPayload.system_time =~ ".*"`},
"jsonPayload.task": {OmitIf: `jsonPayload.task =~ ".*"`},
+ "jsonPayload.version": {OmitIf: `jsonPayload.version != nil`},
`labels."log.record.original"`: {OmitIf: `labels."log.record.original" =~ ".*"`},
},
}.Components(ctx, tag, uid)
From 0957e4b9ebf8f090c832277c2a3f425029e842af Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Mon, 23 Feb 2026 21:49:20 +0000
Subject: [PATCH 03/14] Update goldens.
---
.../golden/windows-2012/otel.yaml | 329 +++++++++++-------
.../golden/windows/otel.yaml | 329 +++++++++++-------
.../golden/windows-2012/otel.yaml | 72 ++--
.../golden/windows/otel.yaml | 72 ++--
4 files changed, 490 insertions(+), 312 deletions(-)
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index fc149e1798..3426c68e97 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -1045,63 +1045,79 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1110,134 +1126,128 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1246,48 +1256,84 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1317,63 +1363,79 @@ processors:
- set(cache["value"], "winlog2") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1382,48 +1444,55 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1515,18 +1584,21 @@ receivers:
windowseventlog/winlog2:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_1:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_2:
channel: Microsoft-Windows-User Control Panel/Operational
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1605,6 +1677,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1615,6 +1688,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1625,6 +1699,7 @@ service:
processors:
- transform/winlog2_2_0
- transform/winlog2_2_1
+ - transform/winlog2_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index fc149e1798..3426c68e97 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -1045,63 +1045,79 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1110,134 +1126,128 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1246,48 +1256,84 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1317,63 +1363,79 @@ processors:
- set(cache["value"], "winlog2") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ - delete_key(attributes, "log.record.original") where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["channel"]) where (body != nil and body["channel"] != nil)
+ - set(cache["__field_0"], body["correlation"]["activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["activity_id"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], body["computer"]) where (body != nil and body["computer"] != nil)
+ - set(cache["__field_1"], body["channel"]) where (body != nil and body["channel"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
+ - set(cache["__field_2"], body["computer"]) where (body != nil and body["computer"] != nil)
- delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], body["record_id"]) where (body != nil and body["record_id"] != nil)
+ - set(cache["__field_3"], body["event_id"]["id"]) where (body != nil and body["event_id"] != nil and body["event_id"]["id"] != nil)
- delete_key(cache, "__field_4") where (cache != nil and cache["__field_4"] != nil)
- - set(cache["__field_4"], body["keywords"]) where (body != nil and body["keywords"] != nil)
+ - set(cache["__field_4"], body["record_id"]) where (body != nil and body["record_id"] != nil)
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- - set(cache["__field_5"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- - set(cache["__field_7"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
+ - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- - set(cache["__field_9"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
+ - set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
- - set(cache["__field_10"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
+ - set(cache["__field_10"], body["provider"]["guid"]) where (body != nil and body["provider"] != nil and body["provider"]["guid"] != nil)
- delete_key(cache, "__field_11") where (cache != nil and cache["__field_11"] != nil)
- - set(cache["__field_11"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
+ - set(cache["__field_11"], body["provider"]["name"]) where (body != nil and body["provider"] != nil and body["provider"]["name"] != nil)
- delete_key(cache, "__field_12") where (cache != nil and cache["__field_12"] != nil)
- - set(cache["__field_12"], body["event_data"]) where (body != nil and body["event_data"] != nil)
+ - set(cache["__field_12"], body["event_id"]["qualifiers"]) where (body != nil and body["event_id"] != nil and body["event_id"]["qualifiers"] != nil)
- delete_key(cache, "__field_13") where (cache != nil and cache["__field_13"] != nil)
- - set(cache["__field_13"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_13"], body["correlation"]["related_activity_id"]) where (body != nil and body["correlation"] != nil and body["correlation"]["related_activity_id"] != nil)
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- - set(cache["__field_14"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- - set(cache["__field_16"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
+ - delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
+ - set(cache["__field_17"], body["system_time"]) where (body != nil and body["system_time"] != nil)
+ - delete_key(cache, "__field_18") where (cache != nil and cache["__field_18"] != nil)
+ - set(cache["__field_18"], body["security"]["user_id"]) where (body != nil and body["security"] != nil and body["security"]["user_id"] != nil)
+ - delete_key(cache, "__field_19") where (cache != nil and cache["__field_19"] != nil)
+ - set(cache["__field_19"], body["version"]) where (body != nil and body["version"] != nil)
- set(cache["body"], body)
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
- - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
- - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
- - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
- - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
+ - set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_6"])
- delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- set(cache["mapped_value"], "2") where cache["value"] == "Error"
@@ -1382,48 +1444,55 @@ processors:
- set(cache["mapped_value"], Int(cache["mapped_value"]))
- set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_6"])
+ - set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_7"])
+ - set(cache["value"], cache["__field_8"])
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_8"])
+ - set(cache["value"], cache["__field_9"])
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_9"])
+ - set(cache["value"], cache["__field_10"])
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_10"])
+ - set(cache["value"], cache["__field_11"])
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_11"])
+ - set(cache["value"], cache["__field_12"])
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_12"])
+ - set(cache["value"], cache["__field_13"])
+ - set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_14"])
- set(cache["__event_data"], ToValues(cache["value"]["data"])) where (cache["value"] != nil and cache["value"]["data"] != nil)
- append(cache["__event_data"], cache["value"]["binary"]) where ((cache != nil and cache["__event_data"] != nil) and (cache["value"] != nil and cache["value"]["binary"] != nil))
- set(cache["value"], cache["__event_data"]) where (cache != nil and cache["__event_data"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_13"])
+ - set(cache["value"], cache["__field_15"])
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_14"])
+ - set(cache["value"], cache["__field_16"])
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_15"])
+ - set(cache["value"], cache["__field_17"])
- set(cache["value"], FormatTime(Time(cache["value"], "%Y-%m-%dT%T.%sZ"), "%Y-%m-%d %T.%s +0000"))
- set(body["TimeCreated"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_16"])
+ - set(cache["value"], cache["__field_18"])
- set(cache["value"], "") where cache["value"] == nil
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_2_1:
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_19"])
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1515,18 +1584,21 @@ receivers:
windowseventlog/winlog2:
channel: Application
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_1:
channel: System
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
windowseventlog/winlog2_2:
channel: Microsoft-Windows-User Control Panel/Operational
ignore_channel_errors: true
+ include_log_record_original: true
poll_interval: 1s
start_at: beginning
storage: file_storage
@@ -1605,6 +1677,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1615,6 +1688,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1625,6 +1699,7 @@ service:
processors:
- transform/winlog2_2_0
- transform/winlog2_2_1
+ - transform/winlog2_2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
index 716157d861..34eb6a55ce 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
@@ -1045,12 +1045,18 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1070,42 +1076,19 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1125,7 +1108,36 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1303,6 +1315,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1313,6 +1326,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
index 716157d861..34eb6a55ce 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
@@ -1045,12 +1045,18 @@ processors:
- set(cache["value"], "windows_event_log") where cache["value"] == nil
- set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_0:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1070,42 +1076,19 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1:
+ transform/winlog2_1_0:
error_mode: ignore
log_statements:
- context: log
statements:
- - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
- - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
- - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
- - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
- - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
- - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_0"])
- - set(cache["value"], "test-mig") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_1"])
- - set(cache["value"], "test-zone") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_2"])
- - set(cache["value"], "") where cache["value"] == nil
- - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- - set(cache["value"], cache["__field_3"])
- - set(cache["value"], "winlog2") where cache["value"] == nil
- - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_0:
+ - set(body["parsed_xml"], ParseSimplifiedXML(attributes["log.record.original"])) where (attributes != nil and attributes["log.record.original"] != nil)
+ transform/winlog2_1_1:
error_mode: ignore
log_statements:
- context: log
statements:
- delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
- - set(cache["__field_0"], body["message"]) where (body != nil and body["message"] != nil)
+ - set(cache["__field_0"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
- set(cache["__field_1"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
@@ -1125,7 +1108,36 @@ processors:
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
- set(body["raw_xml"], cache["value"]) where (cache != nil and cache["value"] != nil)
- transform/winlog2_1_1:
+ transform/winlog2_1_2:
+ error_mode: ignore
+ log_statements:
+ - context: log
+ statements:
+ - delete_key(cache, "__field_0") where (cache != nil and cache["__field_0"] != nil)
+ - set(cache["__field_0"], attributes["compute.googleapis.com/instance_group_manager/name"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/name"] != nil)
+ - delete_key(cache, "__field_1") where (cache != nil and cache["__field_1"] != nil)
+ - set(cache["__field_1"], attributes["compute.googleapis.com/instance_group_manager/zone"]) where (attributes != nil and attributes["compute.googleapis.com/instance_group_manager/zone"] != nil)
+ - delete_key(cache, "__field_2") where (cache != nil and cache["__field_2"] != nil)
+ - set(cache["__field_2"], attributes["compute.googleapis.com/resource_name"]) where (attributes != nil and attributes["compute.googleapis.com/resource_name"] != nil)
+ - delete_key(cache, "__field_3") where (cache != nil and cache["__field_3"] != nil)
+ - set(cache["__field_3"], attributes["gcp.log_name"]) where (attributes != nil and attributes["gcp.log_name"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "test-mig") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "test-zone") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/instance_group_manager/zone"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
+ - set(attributes["compute.googleapis.com/resource_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ - delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
+ - set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "winlog2") where cache["value"] == nil
+ - set(attributes["gcp.log_name"], cache["value"]) where (cache != nil and cache["value"] != nil)
+ transform/winlog2_2:
error_mode: ignore
log_statements:
- context: log
@@ -1303,6 +1315,7 @@ service:
processors:
- transform/winlog2_0
- transform/winlog2_1
+ - transform/winlog2_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
@@ -1313,6 +1326,7 @@ service:
processors:
- transform/winlog2_1_0
- transform/winlog2_1_1
+ - transform/winlog2_1_2
- resourcedetection/_global_0
- batch/googlecloud/logging_logs_0
receivers:
From 443b7107d409f67fab886b41864e9060cd68b685 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Mon, 23 Feb 2026 21:49:30 +0000
Subject: [PATCH 04/14] Update goldens.
---
.../input.log | 6 +-
.../output_fluentbit.yaml | 12 +
.../output_otel.yaml | 179 ++++++++++++++-
.../input.log | 7 +-
.../output_fluentbit.yaml | 6 +
.../output_otel.yaml | 194 ++++++++++------
.../input.log | 7 +-
.../output_fluentbit.yaml | 6 +
.../output_otel.yaml | 216 ++++++++++++------
9 files changed, 475 insertions(+), 158 deletions(-)
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
index 08786d6562..6520beb3c7 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
@@ -1,2 +1,4 @@
-{"log.record.original": "179622000x80000000000000002133Systemtest-computer-21470204711024The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931ErrorInfoSystemMicrosoft-Windows-TPM-WMI", "channel":"System","computer":"test-computer","event_data":{"data":[{"HResult":"-2147020471"},{"UpdateType":"1024"}]},"event_id":{"id":1796,"qualifiers":0},"execution":{"process_id":6456,"thread_id":6424},"keywords":["0x8000000000000000"],"level":"Error","message":"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931","opcode":"Info","provider":{"event_source":"","guid":"{11111111}","name":"Microsoft-Windows-TPM-WMI"},"record_id":2133,"security":{"user_id":"S-1-5-18"},"system_time":"2025-12-02T22:49:40.4939915Z","task":"0"}
-{"log.record.original": "703604000x80800000000000002373Systemtest-computerNetwork Setup Servicestopped12345The Network Setup Service service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","event_data":{"binary":"12345","data":[{"param1":"Network Setup Service"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":16384},"execution":{"process_id":780,"thread_id":7916},"keywords":["Classic"],"level":"Information","message":"The Network Setup Service service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111}","name":"Service Control Manager"},"record_id":2373,"system_time":"2025-12-03T01:49:43.5958197Z","task":"0"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
index 00e83bf206..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_fluentbit.yaml
@@ -1,4 +1,16 @@
- entries:
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
- jsonPayload:
message: This processor is only used for testing otel.
labels:
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
index 8b50f91656..a5d5bf05a2 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
@@ -1,10 +1,76 @@
- entries:
- jsonPayload:
- Message: The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
StringInserts:
- - "-2147020471"
- - "1024"
- raw_xml: 179622000x80000000000000002133Systemtest-computer-21470204711024The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931ErrorInfoSystemMicrosoft-Windows-TPM-WMI
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ raw_xml: |-
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -15,12 +81,109 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Message: The Network Setup Service service entered the stopped state.
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
StringInserts:
- - Network Setup Service
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ raw_xml: |-
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Message: The Software Protection service entered the stopped state.
+ StringInserts:
+ - Software Protection
- stopped
- - "12345"
- raw_xml: 703604000x80800000000000002373Systemtest-computerNetwork Setup Servicestopped12345The Network Setup Service service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic
+ - 7300700070007300760063002F0031000000
+ raw_xml: 703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Message: The Software Protection service entered the running state.
+ StringInserts:
+ - Software Protection
+ - running
+ - 7300700070007300760063002F0034000000
+ raw_xml: 703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
index 8b32274e92..6520beb3c7 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
@@ -1,3 +1,4 @@
-{"log.record.original":"765404000x80800000000000002257Systemtest-computerClient License Service (ClipSVC)running43006C00690070005300560043002F0034000000The Client License Service (ClipSVC) service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","event_data":{"binary":"43006C00690070005300560043002F0034000000","data":[{"param1":"Client License Service (ClipSVC)"},{"param2":"running"}]},"event_id":{"id":7654,"qualifiers":12345},"execution":{"process_id":780,"thread_id":7548},"keywords":["Classic"],"level":"Information","message":"The Client License Service (ClipSVC) service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2257,"system_time":"2025-12-02T23:43:11.8975092Z","task":"0"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Success"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Failure"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
index 59ba64238b..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_fluentbit.yaml
@@ -17,6 +17,12 @@
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/transformation_test
timestamp: now
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
partialSuccess: true
resource:
labels: {}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
index 5205f2e7dd..2a0887f766 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/output_otel.yaml
@@ -1,21 +1,56 @@
- entries:
- jsonPayload:
- Channel: System
+ Channel: Security
ComputerName: test-computer
- Data: 43006c00690070005300560043002f0034000000
- EventCategory: 0
- EventID: 7654
- EventType: Information
- Message: The Client License Service (ClipSVC) service entered the running state.
- Qualifiers: 12345
- RecordNumber: 2257
+ Data: ""
+ EventCategory: 56789
+ EventID: 4567
+ EventType: SuccessAudit
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Qualifiers: 0
+ RecordNumber: 34567
Sid: ""
- SourceName: Service Control Manager
+ SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- - Client License Service (ClipSVC)
- - running
- TimeGenerated: 2025-12-02 23:43:11.8975092 +0000
- TimeWritten: 2025-12-02 23:43:11.8975092 +0000
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ TimeGenerated: 2026-01-16 18:45:59.5782153 +0000
+ TimeWritten: 2026-01-16 18:45:59.5782153 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -29,38 +64,54 @@
Channel: Security
ComputerName: test-computer
Data: ""
- EventCategory: 13824
- EventID: 9876
- EventType: SuccessAudit
+ EventCategory: 56789
+ EventID: 4567
+ EventType: FailureAudit
Message: |-
- Credential Manager credentials were read.
+ Special privileges assigned to new logon.
Subject:
- Security ID: S-0-0-0
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
Qualifiers: 0
- RecordNumber: 24007
+ RecordNumber: 34567
Sid: ""
SourceName: Microsoft-Windows-Security-Auditing
StringInserts:
- S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
- TimeWritten: 2025-12-23 20:55:56.6898286 +0000
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ TimeGenerated: 2026-01-16 18:45:59.5782153 +0000
+ TimeWritten: 2026-01-16 18:45:59.5782153 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -71,41 +122,48 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: Security
+ Channel: System
ComputerName: test-computer
- Data: ""
- EventCategory: 13824
- EventID: 9876
- EventType: FailureAudit
- Message: |-
- Credential Manager credentials were read.
-
- Subject:
- Security ID: S-0-0-0
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
-
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
- Qualifiers: 0
- RecordNumber: 24007
+ Data: 7300700070007300760063002f0031000000
+ EventCategory: 0
+ EventID: 7036
+ EventType: Information
+ Message: The Software Protection service entered the stopped state.
+ Qualifiers: 12345
+ RecordNumber: 11223
Sid: ""
- SourceName: Microsoft-Windows-Security-Auditing
+ SourceName: Service Control Manager
StringInserts:
- - S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- TimeGenerated: 2025-12-23 20:55:56.6898286 +0000
- TimeWritten: 2025-12-23 20:55:56.6898286 +0000
+ - Software Protection
+ - stopped
+ TimeGenerated: 2025-12-14 05:26:29.0709018 +0000
+ TimeWritten: 2025-12-14 05:26:29.0709018 +0000
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Channel: System
+ ComputerName: test-computer
+ Data: 7300700070007300760063002f0034000000
+ EventCategory: 0
+ EventID: 7036
+ EventType: Information
+ Message: The Software Protection service entered the running state.
+ Qualifiers: 12345
+ RecordNumber: 22334
+ Sid: ""
+ SourceName: Service Control Manager
+ StringInserts:
+ - Software Protection
+ - running
+ TimeGenerated: 2025-12-14 05:25:55.5387001 +0000
+ TimeWritten: 2025-12-14 05:25:55.5387001 +0000
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
index 8b32274e92..6520beb3c7 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
@@ -1,3 +1,4 @@
-{"log.record.original":"765404000x80800000000000002257Systemtest-computerClient License Service (ClipSVC)running43006C00690070005300560043002F0034000000The Client License Service (ClipSVC) service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","event_data":{"binary":"43006C00690070005300560043002F0034000000","data":[{"param1":"Client License Service (ClipSVC)"},{"param2":"running"}]},"event_id":{"id":7654,"qualifiers":12345},"execution":{"process_id":780,"thread_id":7548},"keywords":["Classic"],"level":"Information","message":"The Client License Service (ClipSVC) service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","name":"Service Control Manager"},"record_id":2257,"system_time":"2025-12-02T23:43:11.8975092Z","task":"0"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Success"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
-{"log.record.original":"9876001382400x802000000000000024007Securitytest-computerS-0-0-00TEST-COMPUTER$WORKGROUP0x3e5WindowsLive:target=virtualapp/didlogical01%%810002025-12-23T20:55:56.6615132Z1234Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-0\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.InformationUser Account ManagementInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","details":{"Additional Context":["This event occurs when a user performs a read operation on stored credentials in Credential Manager."],"Subject":{"Account Domain":"WORKGROUP","Account Name":"TEST-COMPUTER$","Logon ID":"0x3E5","Read Operation":"Enumerate Credentials","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"TEST-COMPUTER$"},{"SubjectDomainName":"WORKGROUP"},{"SubjectLogonId":"0x3e5"},{"TargetName":"WindowsLive:target=virtualapp/didlogical"},{"Type":"0"},{"CountOfCredentialsReturned":"1"},{"ReadOperation":"%%8100"},{"ReturnCode":"0"},{"ProcessCreationTime":"2025-12-23T20:55:56.6615132Z"},{"ClientProcessId":"1234"}]},"event_id":{"id":9876,"qualifiers":0},"execution":{"process_id":812,"thread_id":2820},"keywords":["Audit Failure"],"level":"Information","message":"Credential Manager credentials were read.\n\nSubject:\n Security ID: S-0-0-00\n Account Name: TEST-COMPUTER$\n Account Domain: WORKGROUP\n Logon ID: 0x3E5\n Read Operation: Enumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","opcode":"Info","provider":{"event_source":"","guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","name":"Microsoft-Windows-Security-Auditing"},"record_id":24007,"system_time":"2025-12-23T20:55:56.6898286Z","task":"User Account Management"}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
+{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
index 59ba64238b..c7aa052566 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_fluentbit.yaml
@@ -17,6 +17,12 @@
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/transformation_test
timestamp: now
+ - jsonPayload:
+ message: This processor is only used for testing otel.
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/transformation_test
+ timestamp: now
partialSuccess: true
resource:
labels: {}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
index 70b3002de9..6a414eb5e9 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
@@ -1,25 +1,61 @@
- entries:
- jsonPayload:
- Channel: System
+ ActivityID: "{8a149361-b6dd-0002-4547-593fcd85dc01}"
+ Channel: Security
Computer: test-computer
- EventID: 7654
- EventRecordID: 2257
- Keywords: "0x8080000000000000"
+ EventID: 4567
+ EventRecordID: 34567
+ Keywords: "0x8020000000000000"
Level: 4
- Message: The Client License Service (ClipSVC) service entered the running state.
- Opcode: 0
- ProcessID: 780
- ProviderGuid: "{555908d1-a6d7-4695-8e1e-26931d2012f4}"
- ProviderName: Service Control Manager
- Qualifiers: 12345
+ Message: |-
+ Special privileges assigned to new logon.
+
+ Subject:
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
+
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Opcode: Info
+ ProcessID: 820
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
+ ProviderName: Microsoft-Windows-Security-Auditing
+ Qualifiers: 0
StringInserts:
- - Client License Service (ClipSVC)
- - running
- - 43006C00690070005300560043002F0034000000
- Task: 0
- ThreadId: 7548
- TimeCreated: 2025-12-02 23:43:11.8975092 +0000
+ - S-0-0-00
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Task: Special Logon
+ ThreadId: 6080
+ TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -30,44 +66,62 @@
type: gce_instance
timestamp: now
- jsonPayload:
+ ActivityID: "{8a149361-b6dd-0002-4547-593fcd85dc01}"
Channel: Security
Computer: test-computer
- EventID: 9876
- EventRecordID: 24007
+ EventID: 4567
+ EventRecordID: 34567
Keywords: "0x8020000000000000"
Level: 4
Message: |-
- Credential Manager credentials were read.
+ Special privileges assigned to new logon.
Subject:
- Security ID: S-0-0-00
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
+ Security ID: S-0-0-00
+ Account Name: SYSTEM
+ Account Domain: NT AUTHORITY
+ Logon ID: 0x000
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
+ Privileges: SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
Opcode: Info
- ProcessID: 812
- ProviderGuid: "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+ ProcessID: 820
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Microsoft-Windows-Security-Auditing
Qualifiers: 0
StringInserts:
- S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- Task: User Account Management
- ThreadId: 2820
- TimeCreated: 2025-12-23 20:55:56.6898286 +0000
+ - SYSTEM
+ - NT AUTHORITY
+ - "0x000"
+ - |-
+ SeAssignPrimaryTokenPrivilege
+ SeTcbPrivilege
+ SeSecurityPrivilege
+ SeTakeOwnershipPrivilege
+ SeLoadDriverPrivilege
+ SeBackupPrivilege
+ SeRestorePrivilege
+ SeDebugPrivilege
+ SeAuditPrivilege
+ SeSystemEnvironmentPrivilege
+ SeImpersonatePrivilege
+ SeDelegateSessionUserImpersonatePrivilege
+ Task: Special Logon
+ ThreadId: 6080
+ TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
@@ -78,44 +132,58 @@
type: gce_instance
timestamp: now
- jsonPayload:
- Channel: Security
+ Channel: System
Computer: test-computer
- EventID: 9876
- EventRecordID: 24007
- Keywords: "0x8020000000000000"
+ EventID: 7036
+ EventRecordID: 11223
+ Keywords: "0x8080000000000000"
Level: 4
- Message: |-
- Credential Manager credentials were read.
-
- Subject:
- Security ID: S-0-0-00
- Account Name: TEST-COMPUTER$
- Account Domain: WORKGROUP
- Logon ID: 0x3E5
- Read Operation: Enumerate Credentials
-
- This event occurs when a user performs a read operation on stored credentials in Credential Manager.
- Opcode: Info
- ProcessID: 812
- ProviderGuid: "{54849625-5478-4994-a5ba-3e3b0328c30d}"
- ProviderName: Microsoft-Windows-Security-Auditing
- Qualifiers: 0
+ Message: The Software Protection service entered the stopped state.
+ Opcode: 0
+ ProcessID: 789
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
+ ProviderName: Service Control Manager
+ Qualifiers: 12345
StringInserts:
- - S-0-0-00
- - TEST-COMPUTER$
- - WORKGROUP
- - "0x3e5"
- - WindowsLive:target=virtualapp/didlogical
- - "0"
- - "1"
- - "%%8100"
- - "0"
- - 2025-12-23T20:55:56.6615132Z
- - "1234"
- Task: User Account Management
- ThreadId: 2820
- TimeCreated: 2025-12-23 20:55:56.6898286 +0000
+ - Software Protection
+ - stopped
+ - 7300700070007300760063002F0031000000
+ Task: 0
+ ThreadId: 5678
+ TimeCreated: 2025-12-14 05:26:29.0709018 +0000
+ UserId: ""
+ Version: 0
+ labels:
+ compute.googleapis.com/resource_name: hostname
+ logName: projects/my-project/logs/my-log-name
+ resource:
+ labels:
+ instance_id: test-instance-id
+ zone: test-zone
+ type: gce_instance
+ timestamp: now
+ - jsonPayload:
+ Channel: System
+ Computer: test-computer
+ EventID: 7036
+ EventRecordID: 22334
+ Keywords: "0x8080000000000000"
+ Level: 4
+ Message: The Software Protection service entered the running state.
+ Opcode: 0
+ ProcessID: 789
+ ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
+ ProviderName: Service Control Manager
+ Qualifiers: 12345
+ StringInserts:
+ - Software Protection
+ - running
+ - 7300700070007300760063002F0034000000
+ Task: 0
+ ThreadId: 9876
+ TimeCreated: 2025-12-14 05:25:55.5387001 +0000
UserId: ""
+ Version: 0
labels:
compute.googleapis.com/resource_name: hostname
logName: projects/my-project/logs/my-log-name
From f0c86d66bc63ae7044c08ba589da813e197223a6 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Mon, 23 Feb 2026 21:51:30 +0000
Subject: [PATCH 05/14] Fix typo.
---
confgenerator/logging_receivers.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index ddf01f1b11..037dc7c963 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -662,7 +662,7 @@ func (p LoggingProcessorWindowsEventLogV1) Processors(ctx context.Context) ([]ot
}
func parseLogRecordOriginal(deleteOriginalField bool) otel.Component {
- // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System` fiels and non-parsed `Event.RenderingInfo.Message`.
+ // Parse original XML (attributes."log.record.original") to preserve non-rendered `Event.System` fields and non-parsed `Event.RenderingInfo.Message`.
logRecordOriginal := ottl.LValue{"attributes", "log.record.original"}
bodyParsedXML := ottl.LValue{"body", "parsed_xml"}
statements := []ottl.Statements{
From 0df4d606b54c9f464fff64ab5b8a4809fc4864c9 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 15:58:17 +0000
Subject: [PATCH 06/14] Non rendered Task, Level and Opcode.
---
confgenerator/logging_receivers.go | 30 ++++++++++--------------------
1 file changed, 10 insertions(+), 20 deletions(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 037dc7c963..6b6d8fd227 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -787,23 +787,13 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
"jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
"jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id"},
"jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
- "jsonPayload.Level": {
- CopyFrom: "jsonPayload.level",
- MapValues: map[string]string{
- "Critical": "1",
- "Error": "2",
- "Warning": "3",
- "Information": "4",
- },
- Type: "integer",
- MapValuesExclusive: true,
- },
- "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
- "jsonPayload.Opcode": {CopyFrom: "jsonPayload.opcode", Type: "integer"},
- "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
- "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
- "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
- "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
+ "jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
+ "jsonPayload.Opcode": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Opcode", Type: "integer"},
+ "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
+ "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
+ "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
+ "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
@@ -817,7 +807,7 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
)
},
},
- "jsonPayload.Task": {CopyFrom: "jsonPayload.task", Type: "integer"},
+ "jsonPayload.Task": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Task", Type: "integer"},
"jsonPayload.ThreadId": {CopyFrom: "jsonPayload.execution.thread_id", Type: "integer"},
"jsonPayload.TimeCreated": {
CopyFrom: "jsonPayload.system_time",
@@ -827,8 +817,8 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
CopyFrom: "jsonPayload.security.user_id",
DefaultValue: &empty,
},
- "jsonPayload.ActivityID": {CopyFrom: "jsonPayload.correlation.activity_id"},
- "jsonPayload.RelatedActivityID": {CopyFrom: "jsonPayload.correlation.related_activity_id"},
+ "jsonPayload.ActivityID": {CopyFrom: "jsonPayload.correlation.activity_id", DefaultValue: &empty},
+ "jsonPayload.RelatedActivityID": {CopyFrom: "jsonPayload.correlation.related_activity_id", DefaultValue: &empty},
"jsonPayload.Version": {CopyFrom: "jsonPayload.version", Type: "integer"},
}}
p, err := modifyFields.Processors(ctx)
From 694677c84c721103dd5d23164eef6d0634547db6 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 15:58:23 +0000
Subject: [PATCH 07/14] Update test.
---
.../input.log | 4 ++--
.../output_otel.yaml | 4 ++--
.../input.log | 4 ++--
.../input.log | 4 ++--
.../output_otel.yaml | 22 ++++++++++++-------
5 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
index 6520beb3c7..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/input.log
@@ -1,4 +1,4 @@
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
index a5d5bf05a2..b94488b577 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
@@ -40,7 +40,7 @@
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
raw_xml: |-
- 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
@@ -121,7 +121,7 @@
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
raw_xml: |-
- 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
index 6520beb3c7..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v1/input.log
@@ -1,4 +1,4 @@
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
index 6520beb3c7..3c4de664f4 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/input.log
@@ -1,4 +1,4 @@
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
-{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{8a149361-b6dd-0002-4547-593fcd85dc01}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Success","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Success"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
+{"log.record.original":"4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeSpecial privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-0-0-00\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x000\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilegeInformationSpecial LogonInfoSecurityMicrosoft Windows security auditing.Audit Failure","channel":"Security","computer":"test-computer","correlation":{"activity_id":"{000000000-0000-0000-0000-000000000000}"},"details":{"Privileges":["SeAssignPrimaryTokenPrivilege","SeTcbPrivilege","SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeLoadDriverPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeDebugPrivilege","SeAuditPrivilege","SeSystemEnvironmentPrivilege","SeImpersonatePrivilege","SeDelegateSessionUserImpersonatePrivilege"],"Subject":{"Account Domain":"NT AUTHORITY","Account Name":"SYSTEM","Logon ID":"0x000","Security ID":"S-0-0-00"}},"event_data":{"data":[{"SubjectUserSid":"S-0-0-00"},{"SubjectUserName":"SYSTEM"},{"SubjectDomainName":"NT AUTHORITY"},{"SubjectLogonId":"0x000"},{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"}]},"event_id":{"id":4567,"qualifiers":0},"execution":{"process_id":820,"thread_id":6080},"keywords":["Audit Failure"],"level":"Information","message":"Special privileges assigned to new logon.","opcode":"Info","provider":{"event_source":"","guid":"{11111111-2222-3333-4444-555555555555}","name":"Microsoft-Windows-Security-Auditing"},"record_id":34567,"system_time":"2026-01-16T18:45:59.5782153Z","task":"Special Logon","version":0}
{"log.record.original":"703604000x808000000000000011223Systemtest-computerSoftware Protectionstopped7300700070007300760063002F0031000000The Software Protection service entered the stopped state.InformationMicrosoft-Windows-Service Control ManagerClassic","channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0031000000","data":[{"param1":"Software Protection"},{"param2":"stopped"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":5678},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the stopped state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":11223,"system_time":"2025-12-14T05:26:29.0709018Z","task":"0","version":0}
{"log.record.original":"703604000x808000000000000022334Systemtest-computerSoftware Protectionrunning7300700070007300760063002F0034000000The Software Protection service entered the running state.InformationMicrosoft-Windows-Service Control ManagerClassic", "channel":"System","computer":"test-computer","correlation":{},"event_data":{"binary":"7300700070007300760063002F0034000000","data":[{"param1":"Software Protection"},{"param2":"running"}]},"event_id":{"id":7036,"qualifiers":12345},"execution":{"process_id":789,"thread_id":9876},"keywords":["Classic"],"level":"Information","message":"The Software Protection service entered the running state.","opcode":"0","provider":{"event_source":"Service Control Manager","guid":"{11111111-2222-3333-4444-555555555555}","name":"Service Control Manager"},"record_id":22334,"system_time":"2025-12-14T05:25:55.5387001Z","task":"0","version":0}
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
index 6a414eb5e9..6658035149 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_v2/output_otel.yaml
@@ -1,12 +1,12 @@
- entries:
- jsonPayload:
- ActivityID: "{8a149361-b6dd-0002-4547-593fcd85dc01}"
+ ActivityID: "{000000000-0000-0000-0000-000000000000}"
Channel: Security
Computer: test-computer
EventID: 4567
EventRecordID: 34567
Keywords: "0x8020000000000000"
- Level: 4
+ Level: 0
Message: |-
Special privileges assigned to new logon.
@@ -28,11 +28,12 @@
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
- Opcode: Info
+ Opcode: 0
ProcessID: 820
ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Microsoft-Windows-Security-Auditing
Qualifiers: 0
+ RelatedActivityID: ""
StringInserts:
- S-0-0-00
- SYSTEM
@@ -51,7 +52,7 @@
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
- Task: Special Logon
+ Task: 56789
ThreadId: 6080
TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
@@ -66,13 +67,13 @@
type: gce_instance
timestamp: now
- jsonPayload:
- ActivityID: "{8a149361-b6dd-0002-4547-593fcd85dc01}"
+ ActivityID: "{000000000-0000-0000-0000-000000000000}"
Channel: Security
Computer: test-computer
EventID: 4567
EventRecordID: 34567
Keywords: "0x8020000000000000"
- Level: 4
+ Level: 0
Message: |-
Special privileges assigned to new logon.
@@ -94,11 +95,12 @@
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
- Opcode: Info
+ Opcode: 0
ProcessID: 820
ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Microsoft-Windows-Security-Auditing
Qualifiers: 0
+ RelatedActivityID: ""
StringInserts:
- S-0-0-00
- SYSTEM
@@ -117,7 +119,7 @@
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
- Task: Special Logon
+ Task: 56789
ThreadId: 6080
TimeCreated: 2026-01-16 18:45:59.5782153 +0000
UserId: ""
@@ -132,6 +134,7 @@
type: gce_instance
timestamp: now
- jsonPayload:
+ ActivityID: ""
Channel: System
Computer: test-computer
EventID: 7036
@@ -144,6 +147,7 @@
ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Service Control Manager
Qualifiers: 12345
+ RelatedActivityID: ""
StringInserts:
- Software Protection
- stopped
@@ -163,6 +167,7 @@
type: gce_instance
timestamp: now
- jsonPayload:
+ ActivityID: ""
Channel: System
Computer: test-computer
EventID: 7036
@@ -175,6 +180,7 @@
ProviderGuid: "{11111111-2222-3333-4444-555555555555}"
ProviderName: Service Control Manager
Qualifiers: 12345
+ RelatedActivityID: ""
StringInserts:
- Software Protection
- running
From a9b6c6a714dea2bb04745c23ed4a88698fc14a16 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 16:00:48 +0000
Subject: [PATCH 08/14] Update goldens.
---
.../golden/windows-2012/otel.yaml | 51 ++++++++-----------
.../golden/windows/otel.yaml | 51 ++++++++-----------
2 files changed, 42 insertions(+), 60 deletions(-)
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index 3426c68e97..e4057a5936 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -1069,11 +1069,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1087,7 +1087,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1100,6 +1100,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1118,13 +1119,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1147,6 +1143,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
@@ -1199,11 +1196,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1217,7 +1214,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1230,6 +1227,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1248,13 +1246,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1277,6 +1270,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
@@ -1387,11 +1381,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1405,7 +1399,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1418,6 +1412,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1436,13 +1431,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1465,6 +1455,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index 3426c68e97..e4057a5936 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -1069,11 +1069,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1087,7 +1087,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1100,6 +1100,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1118,13 +1119,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1147,6 +1143,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
@@ -1199,11 +1196,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1217,7 +1214,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1230,6 +1227,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1248,13 +1246,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1277,6 +1270,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
@@ -1387,11 +1381,11 @@ processors:
- delete_key(cache, "__field_5") where (cache != nil and cache["__field_5"] != nil)
- set(cache["__field_5"], body["parsed_xml"]["Event"]["System"]["Keywords"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Keywords"] != nil)
- delete_key(cache, "__field_6") where (cache != nil and cache["__field_6"] != nil)
- - set(cache["__field_6"], body["level"]) where (body != nil and body["level"] != nil)
+ - set(cache["__field_6"], body["parsed_xml"]["Event"]["System"]["Level"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Level"] != nil)
- delete_key(cache, "__field_7") where (cache != nil and cache["__field_7"] != nil)
- set(cache["__field_7"], body["parsed_xml"]["Event"]["RenderingInfo"]["Message"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"] != nil and body["parsed_xml"]["Event"]["RenderingInfo"]["Message"] != nil)
- delete_key(cache, "__field_8") where (cache != nil and cache["__field_8"] != nil)
- - set(cache["__field_8"], body["opcode"]) where (body != nil and body["opcode"] != nil)
+ - set(cache["__field_8"], body["parsed_xml"]["Event"]["System"]["Opcode"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Opcode"] != nil)
- delete_key(cache, "__field_9") where (cache != nil and cache["__field_9"] != nil)
- set(cache["__field_9"], body["execution"]["process_id"]) where (body != nil and body["execution"] != nil and body["execution"]["process_id"] != nil)
- delete_key(cache, "__field_10") where (cache != nil and cache["__field_10"] != nil)
@@ -1405,7 +1399,7 @@ processors:
- delete_key(cache, "__field_14") where (cache != nil and cache["__field_14"] != nil)
- set(cache["__field_14"], body["event_data"]) where (body != nil and body["event_data"] != nil)
- delete_key(cache, "__field_15") where (cache != nil and cache["__field_15"] != nil)
- - set(cache["__field_15"], body["task"]) where (body != nil and body["task"] != nil)
+ - set(cache["__field_15"], body["parsed_xml"]["Event"]["System"]["Task"]) where (body != nil and body["parsed_xml"] != nil and body["parsed_xml"]["Event"] != nil and body["parsed_xml"]["Event"]["System"] != nil and body["parsed_xml"]["Event"]["System"]["Task"] != nil)
- delete_key(cache, "__field_16") where (cache != nil and cache["__field_16"] != nil)
- set(cache["__field_16"], body["execution"]["thread_id"]) where (body != nil and body["execution"] != nil and body["execution"]["thread_id"] != nil)
- delete_key(cache, "__field_17") where (cache != nil and cache["__field_17"] != nil)
@@ -1418,6 +1412,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1436,13 +1431,8 @@ processors:
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
- - delete_key(cache, "mapped_value") where (cache != nil and cache["mapped_value"] != nil)
- - set(cache["mapped_value"], "1") where cache["value"] == "Critical"
- - set(cache["mapped_value"], "2") where cache["value"] == "Error"
- - set(cache["mapped_value"], "4") where cache["value"] == "Information"
- - set(cache["mapped_value"], "3") where cache["value"] == "Warning"
- - set(cache["mapped_value"], Int(cache["mapped_value"]))
- - set(body["Level"], cache["mapped_value"]) where (cache != nil and cache["mapped_value"] != nil)
+ - set(cache["value"], Int(cache["value"]))
+ - set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
@@ -1465,6 +1455,7 @@ processors:
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["RelatedActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_14"])
From 4f29f2b684c2df4fae0c63b231782abb1953b0b4 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 17:12:57 +0000
Subject: [PATCH 09/14] Update goldens.
---
.../output_otel.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
index b94488b577..c005d26636 100644
--- a/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
+++ b/transformation_test/testdata/logging_processor-windows_event_log_raw_xml/output_otel.yaml
@@ -40,7 +40,7 @@
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
raw_xml: |-
- 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
@@ -121,7 +121,7 @@
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
raw_xml: |-
- 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
+ 4567005678900x802000000000000034567Securitytest-computerS-0-0-00SYSTEMNT AUTHORITY0x000SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
From 05c5c7eb2882f736df20e886e1406ae43c9aaac7 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 18:54:48 +0000
Subject: [PATCH 10/14] Set `0` as default `Opcode` value.
---
confgenerator/logging_receivers.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 6b6d8fd227..d6b7183224 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -779,6 +779,7 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
processors := []otel.Component{parseLogRecordOriginal(true)}
var empty string
+ var zero string = "0"
modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
@@ -789,7 +790,7 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
"jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
"jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer"},
"jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
- "jsonPayload.Opcode": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Opcode", Type: "integer"},
+ "jsonPayload.Opcode": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Opcode", Type: "integer", DefaultValue: &zero},
"jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
"jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
"jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
From a5be2e87fad8455cb68b6a6c5b4508d006658b37 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 18:56:49 +0000
Subject: [PATCH 11/14] Update goldens.
---
.../golden/windows-2012/otel.yaml | 3 +++
.../golden/windows/otel.yaml | 3 +++
2 files changed, 6 insertions(+)
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index e4057a5936..89bf587ad1 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -1126,6 +1126,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1253,6 +1254,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1438,6 +1440,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index e4057a5936..89bf587ad1 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -1126,6 +1126,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1253,6 +1254,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1438,6 +1440,7 @@ processors:
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
From 781160e58e9112f34eaa890cabc959a437ba5ad7 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:50:30 +0000
Subject: [PATCH 12/14] Only use `ToValues` when `jsonPayload.event_data.data`
exists to avoid warning logs.
---
confgenerator/logging_receivers.go | 2 +-
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../logging-otel-receiver_kafka/golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../logging-otel-receiver_mysql/golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../logging-otel-receiver_nginx/golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
.../golden/windows-2012/otel.yaml | 6 +++---
.../golden/windows/otel.yaml | 6 +++---
23 files changed, 67 insertions(+), 67 deletions(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index d6b7183224..91073c1bd2 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -734,7 +734,7 @@ func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error)
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data.data",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
- return v.Set(ottl.ToValues(v))
+ return v.SetIf(ottl.ToValues(v), v.IsPresent())
},
},
"jsonPayload.TimeGenerated": {
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
index 2605f78a25..7557955f69 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows-2012/otel.yaml
@@ -908,7 +908,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1000,7 +1000,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1150,7 +1150,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
index 2605f78a25..7557955f69 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_exclude_logs/golden/windows/otel.yaml
@@ -908,7 +908,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1000,7 +1000,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1150,7 +1150,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
index abb68130fa..96d0738159 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows-2012/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
index abb68130fa..96d0738159 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields/golden/windows/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
index 3e9c5adb43..ff10284972 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows-2012/otel.yaml
@@ -807,7 +807,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -899,7 +899,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1049,7 +1049,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
index 3e9c5adb43..ff10284972 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_modify_fields_ruby_regex/golden/windows/otel.yaml
@@ -807,7 +807,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -899,7 +899,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1049,7 +1049,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
index f5f8dfdade..239440da56 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows-2012/otel.yaml
@@ -847,7 +847,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -939,7 +939,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1089,7 +1089,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
index f5f8dfdade..239440da56 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_json/golden/windows/otel.yaml
@@ -847,7 +847,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -939,7 +939,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1089,7 +1089,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
index 517446896a..3fb93a1521 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows-2012/otel.yaml
@@ -928,7 +928,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1020,7 +1020,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1170,7 +1170,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
index 517446896a..3fb93a1521 100644
--- a/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-processor_parse_regex_type_on_default_pipeline/golden/windows/otel.yaml
@@ -928,7 +928,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1020,7 +1020,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1170,7 +1170,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
index 83ce118fec..1f4f1ea580 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows-2012/otel.yaml
@@ -792,7 +792,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -884,7 +884,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1034,7 +1034,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
index 83ce118fec..1f4f1ea580 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_files_refresh_interval/golden/windows/otel.yaml
@@ -792,7 +792,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -884,7 +884,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1034,7 +1034,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
index 25a6518c27..e0bc47b44c 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows-2012/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
index 25a6518c27..e0bc47b44c 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_kafka/golden/windows/otel.yaml
@@ -881,7 +881,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -973,7 +973,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1123,7 +1123,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
index dde6f7dd43..53c114f814 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows-2012/otel.yaml
@@ -1391,7 +1391,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1483,7 +1483,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1633,7 +1633,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
index dde6f7dd43..53c114f814 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_mysql/golden/windows/otel.yaml
@@ -1391,7 +1391,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1483,7 +1483,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1633,7 +1633,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
index a33c463c1a..e519fb0e1a 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows-2012/otel.yaml
@@ -1041,7 +1041,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1133,7 +1133,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1283,7 +1283,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
index a33c463c1a..e519fb0e1a 100644
--- a/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/logging-otel-receiver_nginx/golden/windows/otel.yaml
@@ -1041,7 +1041,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1133,7 +1133,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1283,7 +1283,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index 89bf587ad1..4f9a1b9c9a 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index 89bf587ad1..4f9a1b9c9a 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
index 34eb6a55ce..2bf20559be 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
index 34eb6a55ce..2bf20559be 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
@@ -763,7 +763,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -855,7 +855,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
@@ -1005,7 +1005,7 @@ processors:
- set(body["SourceName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
- - set(cache["value"], ToValues(cache["value"]))
+ - set(cache["value"], ToValues(cache["value"])) where (cache != nil and cache["value"] != nil)
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
From a82aeb6735789cc58313a77a64ccd2f76048d4e4 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 23:18:17 +0000
Subject: [PATCH 13/14] Set defaults for all fields in V2 and Raw xml.
---
confgenerator/logging_receivers.go | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/confgenerator/logging_receivers.go b/confgenerator/logging_receivers.go
index 91073c1bd2..171ba7ffac 100644
--- a/confgenerator/logging_receivers.go
+++ b/confgenerator/logging_receivers.go
@@ -783,18 +783,18 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
- "jsonPayload.Channel": {CopyFrom: "jsonPayload.channel"},
- "jsonPayload.Computer": {CopyFrom: "jsonPayload.computer"},
- "jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
- "jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id"},
+ "jsonPayload.Channel": {CopyFrom: "jsonPayload.channel", DefaultValue: &empty},
+ "jsonPayload.Computer": {CopyFrom: "jsonPayload.computer", DefaultValue: &empty},
+ "jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.EventRecordID": {CopyFrom: "jsonPayload.record_id", Type: "integer", DefaultValue: &zero},
"jsonPayload.Keywords": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Keywords"},
- "jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer"},
- "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
+ "jsonPayload.Level": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Level", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message", DefaultValue: &empty},
"jsonPayload.Opcode": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Opcode", Type: "integer", DefaultValue: &zero},
- "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer"},
- "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid"},
- "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name"},
- "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers"},
+ "jsonPayload.ProcessID": {CopyFrom: "jsonPayload.execution.process_id", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.ProviderGuid": {CopyFrom: "jsonPayload.provider.guid", DefaultValue: &empty},
+ "jsonPayload.ProviderName": {CopyFrom: "jsonPayload.provider.name", DefaultValue: &empty},
+ "jsonPayload.Qualifiers": {CopyFrom: "jsonPayload.event_id.qualifiers", Type: "integer", DefaultValue: &zero},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
@@ -808,8 +808,8 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
)
},
},
- "jsonPayload.Task": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Task", Type: "integer"},
- "jsonPayload.ThreadId": {CopyFrom: "jsonPayload.execution.thread_id", Type: "integer"},
+ "jsonPayload.Task": {CopyFrom: "jsonPayload.parsed_xml.Event.System.Task", Type: "integer", DefaultValue: &zero},
+ "jsonPayload.ThreadId": {CopyFrom: "jsonPayload.execution.thread_id", Type: "integer", DefaultValue: &zero},
"jsonPayload.TimeCreated": {
CopyFrom: "jsonPayload.system_time",
CustomConvertFunc: formatSystemTime,
@@ -820,7 +820,7 @@ func windowsEventLogV2Processors(ctx context.Context) ([]otel.Component, error)
},
"jsonPayload.ActivityID": {CopyFrom: "jsonPayload.correlation.activity_id", DefaultValue: &empty},
"jsonPayload.RelatedActivityID": {CopyFrom: "jsonPayload.correlation.related_activity_id", DefaultValue: &empty},
- "jsonPayload.Version": {CopyFrom: "jsonPayload.version", Type: "integer"},
+ "jsonPayload.Version": {CopyFrom: "jsonPayload.version", Type: "integer", DefaultValue: &zero},
}}
p, err := modifyFields.Processors(ctx)
if err != nil {
@@ -855,10 +855,11 @@ func windowsEventLogRawXMLProcessors(ctx context.Context) ([]otel.Component, err
// event original XML.
processors := []otel.Component{parseLogRecordOriginal(false)}
+ var empty string
modifyFields := &LoggingProcessorModifyFields{
EmptyBody: true,
Fields: map[string]*ModifyField{
- "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message"},
+ "jsonPayload.Message": {CopyFrom: "jsonPayload.parsed_xml.Event.RenderingInfo.Message", DefaultValue: &empty},
`jsonPayload.raw_xml`: {MoveFrom: `labels."log.record.original"`},
"jsonPayload.StringInserts": {
CopyFrom: "jsonPayload.event_data",
From c18fa4a52bbc8a84f1d3bf138b16f7e2503292f9 Mon Sep 17 00:00:00 2001
From: Francisco Valente
<1435136+franciscovalentecastro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 23:21:09 +0000
Subject: [PATCH 14/14] Update goldens.
---
.../golden/windows-2012/otel.yaml | 48 +++++++++++++++++++
.../golden/windows/otel.yaml | 48 +++++++++++++++++++
.../golden/windows-2012/otel.yaml | 2 +
.../golden/windows/otel.yaml | 2 +
4 files changed, 100 insertions(+)
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
index 4f9a1b9c9a..740fd32a28 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows-2012/otel.yaml
@@ -1104,25 +1104,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1131,16 +1139,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1154,10 +1167,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1170,6 +1185,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_1_0:
@@ -1232,25 +1248,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1259,16 +1283,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1282,10 +1311,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1298,6 +1329,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_1_2:
@@ -1418,25 +1450,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1445,16 +1485,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1468,10 +1513,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1484,6 +1531,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_2:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
index 4f9a1b9c9a..740fd32a28 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_new_channels/golden/windows/otel.yaml
@@ -1104,25 +1104,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1131,16 +1139,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1154,10 +1167,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1170,6 +1185,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_1_0:
@@ -1232,25 +1248,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1259,16 +1283,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1282,10 +1311,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1298,6 +1329,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_1_2:
@@ -1418,25 +1450,33 @@ processors:
- set(body["ActivityID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Channel"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_2"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Computer"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_3"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_4"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["EventRecordID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_5"])
- set(body["Keywords"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_6"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Level"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_7"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_8"])
@@ -1445,16 +1485,21 @@ processors:
- set(body["Opcode"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_9"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ProcessID"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_10"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderGuid"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_11"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["ProviderName"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_12"])
+ - set(cache["value"], "0") where cache["value"] == nil
+ - set(cache["value"], Int(cache["value"]))
- set(body["Qualifiers"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_13"])
@@ -1468,10 +1513,12 @@ processors:
- set(body["StringInserts"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_15"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Task"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_16"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["ThreadId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
@@ -1484,6 +1531,7 @@ processors:
- set(body["UserId"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_19"])
+ - set(cache["value"], "0") where cache["value"] == nil
- set(cache["value"], Int(cache["value"]))
- set(body["Version"], cache["value"]) where (cache != nil and cache["value"] != nil)
transform/winlog2_2_2:
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
index 2bf20559be..345a840ef8 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows-2012/otel.yaml
@@ -1066,6 +1066,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1098,6 +1099,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
diff --git a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
index 2bf20559be..345a840ef8 100644
--- a/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
+++ b/confgenerator/testdata/goldens/windows-otel-logging-receiver_winlog2_xml/golden/windows/otel.yaml
@@ -1066,6 +1066,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])
@@ -1098,6 +1099,7 @@ processors:
- keep_keys(body, [])
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_0"])
+ - set(cache["value"], "") where cache["value"] == nil
- set(body["Message"], cache["value"]) where (cache != nil and cache["value"] != nil)
- delete_key(cache, "value") where (cache != nil and cache["value"] != nil)
- set(cache["value"], cache["__field_1"])