Can't remotely get any events emitted from host side windows in fluentd on windows container

[nekia]

I'm trying to get Windows Event Log on native windows machine from fluentd running as windows container on the same machine. As long as looking at log of fluentd, it seems fluentd successfully connected to remote box(host machine) although, fluentd doesn't detect any windows events of remote box. I can get windows event log of guest machine, so I think fluentd is working correctly yet. I'm wondering if you could provide any advices for this issue?

Environment

• Host: Windows 10 21H1
• Guest: fluent/fluentd:v1.13-windows-ltsc2019-1
• fluent-plugin-windows-eventlog-0.8.0

Steps to recreate this issue

# In Powershell (Run as admin)
PS > netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

# In Powershell
PS > docker run -d --name test `
-v C:\some\where\tmp:c:\fluent\conf `
--entrypoint cmd `
-t fluent/fluentd:v1.13-windows-ltsc2019-1
PS > docker exec -it test powershell

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\> gem install fluent-plugin-windows-eventlog
Fetching fluent-plugin-windows-eventlog-0.8.0.gem
Fetching win32-eventlog-0.6.7.gem
Fetching winevt_c-0.9.3.gem
Successfully installed win32-eventlog-0.6.7
Temporarily enhancing PATH for MSYS/MINGW...
Building native extensions. This could take a while...
Successfully installed winevt_c-0.9.3
Successfully installed fluent-plugin-windows-eventlog-0.8.0
3 gems installed
PS C:\>
PS C:\> gem install nokogiri
Fetching nokogiri-1.11.7-x64-mingw32.gem
Fetching racc-1.5.2.gem
Temporarily enhancing PATH for MSYS/MINGW...
Building native extensions. This could take a while...
Successfully installed racc-1.5.2
Successfully installed nokogiri-1.11.7-x64-mingw32
2 gems installed
PS C:\>
PS C:\> gem install fluent-plugin-parser-winevt_xml
Fetching fluent-plugin-parser-winevt_xml-0.2.2.gem
Successfully installed fluent-plugin-parser-winevt_xml-0.2.2
1 gem installed
PS C:\>
PS C:\> whoami
user manager\containeradministrator
PS C:\> Add-LocalGroupMember -Group "Event Log Readers" -Member "user manager\container
administrator"
PS C:\>
PS C:\> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::5181:182c:a96c:64a3%4
   IPv4 Address. . . . . . . . . . . : 172.20.34.25
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.20.32.1
PS C:\>
PS C:\> hostname
17ab2839905e
PS C:\>
PS C:\>fluentd -c C:\fluent\conf\fluent.conf -v

And I tested by emitting the following dummy event manually.

eventcreate /ID 999 /L Application /SO DummySource /T Information /D "This is a test message."

Log

PS C:\> fluentd -c C:\fluent\conf\fluent.conf -v
2021-07-06 23:50:22 +0900 [info]: fluent/log.rb:330:info: parsing config file is succeeded path="C:\\fluent\\conf\\fluent.conf"
2021-07-06 23:50:22 +0900 [info]: fluent/log.rb:330:info: gem 'fluent-plugin-parser-winevt_xml' version '0.2.2'
2021-07-06 23:50:22 +0900 [info]: fluent/log.rb:330:info: gem 'fluent-plugin-windows-eventlog' version '0.8.0'
2021-07-06 23:50:22 +0900 [info]: fluent/log.rb:330:info: gem 'fluentd' version '1.13.1'
2021-07-06 23:50:23 +0900 [debug]: [windows_eventlog2] connect to remote box (server: 172.20.32.1) domain: DESKTOP-D9O1OE9.WORKGROUP username: nekia)
2021-07-06 23:50:23 +0900 [warn]: fluent/log.rb:351:warn: define <match fluent.**> to capture fluentd logs in top level is deprecated. Use <label @FLUENT_LOG> instead
2021-07-06 23:50:23 +0900 [info]: fluent/log.rb:330:info: using configuration file: <ROOT>
  <source>
    @type windows_eventlog2
    @id windows_eventlog2
    read_interval 2
    tag "winevt.raw"
    <storage>
      @type "local"
      persistent true
      path "./tmp/storage.json"
    </storage>
    <subscribe>
      channels Application
      read_existing_events false
      remote_server "172.20.32.1"
      remote_domain "DESKTOP-D9O1OE9.WORKGROUP"
      remote_username "nekia"
      remote_password xxxxxx
    </subscribe>
  </source>
  <match **>
    @type stdout
  </match>
</ROOT>
2021-07-06 23:50:23 +0900 [info]: fluent/log.rb:330:info: starting fluentd-1.13.1 pid=1880 ruby="2.6.5"
2021-07-06 23:50:23 +0900 [info]: fluent/log.rb:330:info: spawn command to main:  cmdline=["C:/ruby26/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/ruby26/bin/fluentd", "-c", "C:\\fluent\\conf\\fluent.conf", "-v", "--under-supervisor"]
2021-07-06 23:50:26 +0900 [info]: fluent/log.rb:330:info: adding match pattern="**" type="stdout"
2021-07-06 23:50:26 +0900 [info]: fluent/log.rb:330:info: adding source type="windows_eventlog2"
2021-07-06 23:50:27 +0900 [debug]: #0 [windows_eventlog2] connect to remote box (server: 172.20.32.1) domain: DESKTOP-D9O1OE9.WORKGROUP username: nekia)
2021-07-06 23:50:27 +0900 [warn]: #0 fluent/log.rb:351:warn: define <match fluent.**> to capture fluentd logs in top level is deprecated. Use <label @FLUENT_LOG> instead
2021-07-06 23:50:27 +0900 [info]: #0 fluent/log.rb:330:info: starting fluentd worker pid=1688 ppid=1880 worker=0
2021-07-06 23:50:27 +0900 [warn]: #0 [windows_eventlog2] This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: <BookmarkListDirection='backward'>
</BookmarkList>, channel: application
2021-07-06 23:50:27 +0900 [debug]: #0 [windows_eventlog2] channel (application) subscription is subscribed.
2021-07-06 23:50:27 +0900 [info]: #0 fluent/log.rb:330:info: fluentd worker is now running worker=0
2021-07-06 23:50:27.415647100 +0900 fluent.info: {"pid":1688,"ppid":1880,"worker":0,"message":"starting fluentd worker pid=1688 ppid=1880 worker=0"}
2021-07-06 23:50:27.419596600 +0900 fluent.warn: {"message":"[windows_eventlog2] This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: <BookmarkList Direction='backward'>\r\n</BookmarkList>, channel: application"}
2021-07-06 23:50:27.422463200 +0900 fluent.debug: {"message":"[windows_eventlog2] channel (application) subscription is subscribed."}
2021-07-06 23:50:27.424122500 +0900 fluent.info: {"worker":0,"message":"fluentd workeris now running worker=0"}
2021-07-06 23:56:49.456301000 +0900 winevt.raw: {"ProviderName":"DummySource","Provider
GUID":"","EventID":"999","Level":"4","Task":"0","Opcode":"0","Keywords":"0x800000000000
00","TimeCreated":"2021/07/06 14:56:49.120846000","EventRecordID":"56","ActivityID":"",
"RelatedActivityID":"","ProcessID":"0","ThreadID":"0","Channel":"Application","Computer
":"17ab2839905e","UserID":"S-1-5-93-2-1","Version":"0","Description":"This is a test me
ssage.","EventData":["This is a test message."]}

The event detected at the end of above log is the one coming from guest machine ({"Computer":"17ab2839905e"}).

Configuration

<source>
  @type windows_eventlog2
  @id windows_eventlog2
  read_interval 2
  tag winevt.raw
  <storage>
    @type local             # @type local is the default.
    persistent true         # default is true. Set to false to use in-memory storage.
    path ./tmp/storage.json # This is required when persistent is true. If migrating from eventlog v1 please ensure that you remove the old .pos folder
  </storage>
  <subscribe>
    channels Application
    read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
    remote_server 172.20.32.1 # Remote server ip/fqdn
    remote_domain DESKTOP-D9O1OE9.WORKGROUP # Domain name
    remote_username nekia # Remoting access account name
    remote_password ****** # Remoting access account password
  </subscribe>
</source>
<match **>
  @type stdout
</match>