daipom
commented
3 months ago Thanks for the report. I understand the issue, as well as #95.
I've realized that what I want is probably only achievable from the XML Key values in the Windows events by default.
We would need the #95 feature for this, but it would not be possible now, as I commented on https://github.com/fluent/fluent-plugin-windows-eventlog/issues/95#issuecomment-2177580285.
Please let us know if you know how to use Win32 API to take the Data Name of EventData.
I was able to get the keys to be in Camel case without underscores by editing the to_key function
It would not be enough for this issue, but if you need this feature, we should improve this plugin. Welcome to PR!
BlakeHensleyy
Is there a way to parse EventData with the fields included rather than parsing the Description with the description fields?
I'd like to use the field names from EventData because NXlog is supported by my event collector and this is what NXlog does. For example, in the Security log 4624, is the EventData fields "TargetLogonId", "TargetUserName", and "TargetUserSid". While, parsed from the Description these fields are "new_logon_logon_id", "new_logon_account_name", and "new_logon_security_id". I was able to get the keys to be in Camel case without underscores by editing the to_key function:
and by removing the period on line 392 to be:
k = "#{parent_key}#{to_key(key)}"After these changes, the fields are "NewLogonLogonId", "NewLogonAccountName", and "TargetSubjectSecurityID" which still is not the desired field names. I've realized that what I want is probably only achievable from the XML Key values in the Windows events by default.
Is there a configuration setting that achieves this? Or should I attempt my own implementation of it? I would also be ok with solution described in issue #95, if that goes anywhere.