Open inosvaruag opened 4 years ago
Currently, fluent-plugin-windows-eventlog's in_windows_eventlog2 does not provide remote accessing feature. This requires to create Ruby binding for EvtOpenSession and remote session handling on EvtOpenPublisherMetadata. The Ruby binding is developing on https://github.com/fluent-plugins-nursery/winevt_c.
Currently, I'm developing remoting access in the following branch: https://github.com/fluent-plugins-nursery/winevt_c/tree/remoting-access
But I'm not sure Windows conatiner to be able to login with NTLM authentication. Could you explain how to access with Windows docker containers? WMI remoting, Powershell remoting, CIM sessions NTLM authentication are possible to establish connections between Windows container host and its clients which are also called as Windows docker containers, @inosvaruag?
There is no way of running this plugin to get underlying VM's event logs from within a container.
Ah, I got it. Inside docker container, there is no way to access host's Windows EventLog. Yeah, I'm implementing remoting access functionality in https://github.com/fluent-plugins-nursery/winevt_c/tree/remoting-access.
Great! Yes, this would require some form of remote access with credentials to the host VM. And also opening up network and firewall access.
My vote is to start with approach 2 - it should work for most scenarios and has lower security surface area than approach 1. Eventually, approach 3 should be considered to make management easier for large enterprise deployments.
Approach 1: WinRM based remoting e.g. Powershell remoting
Approach 2: Eventlog remoting
Approach 3: gMSA (Group managed service account) accounts
I'm new to Ruby so lack in-depth knowledge on how to develop this but I'm happy to help for any Windows related questions to make this work. I have built working prototypes for some these approaches in other languages.
I think that approach 2 is better.
<winevt.h>
supports remoting session:
https://docs.microsoft.com/ja-jp/windows/win32/api/winevt/nf-winevt-evtopensession
I'm confirming for EvtRpcLoginAuthDefault
which means doing Negotiate by default flag to authenticate remote Windows 10 box which uses cp932 code page.
https://github.com/fluent-plugins-nursery/winevt_c/pull/30#issuecomment-689347816
I'm not sure gMSA accounts but EvtRpcLoginAuthKerberos
on EvtOpenSession might handle kerberos authentication method.
Using Negotiate is better. It automatically does NTLM or Kerberos authentication depending on what the client supports.
About gMSA:
In approach 2, FluentD accepts username and password for authentication. The disadvantage is higher operations workload - the administrator has to create, distribute, and manage password rotation of user account to all VMs.
In approach 3, administration is easier. Container automatically runs as gMSA account and doesn't require username and password. This is very easy to administer.
I agree that we should first get approach 2 working.
I’d created a PR to support remoting access for Windows EventLog: https://github.com/fluent/fluent-plugin-windows-eventlog/pull/66
I’d published Approach 2: Eventlog remoting
approach functionality as v0.8.0.
Could you try it out?
Hi @cosmo0920 , how are you? I see that this is an old issue, but I can confirm you that using fluent/fluentd:v1.16.3-windows-ltsc2022-1.0 docker image, with some additional gems added in the Dockerfile (fluent-plugin-windows-eventlog, fluent-plugin-parser-winevt_xml and nokogiri), I'm collecting the logs of a remote Domain Controller from a Fluentd that is inside a Windows Docker Container in other server.
Is your feature request related to a problem? Please describe.
FluentD can run within a container on Windows. But when running in this mode, this plugin cannot get the underlying VM's Windows event logs.
Describe the solution you'd like
Allow this plugin to capture Windows event logs when running inside a Windows container. Remote event log access, WMI Remoting, Powershell remoting, CIM sessions, etc. could be used for establishing this connection.
Describe alternatives you've considered
There is no way of running this plugin to get underlying VM's event logs from within a container. Only option is to run as a service on Windows outside of a container.