Closed fifofonix closed 3 years ago
philipsabri
commented
3 years ago In your case powershell would be Windows PowerShell
Sorry for Swedish version of Windows but if you right click on the channel inside event viewer and then go to properties you should see the name there
Another example
fifofonix
commented
3 years ago Thanks @flurreN, so I definitely over thunk it.
The configuration below is confirmed as working including two channels beyond the standard ones.
No quoting of channel names required. No escaping of forward slash needed.
<source>
@type windows_eventlog2
@id windows_eventlog2
channels Microsoft-Windows-Diagnosis-PCW/Operational,Windows PowerShell
</source>
What is the correct way to name eventlog channels in your source configuration in_windows_eventlog2?
The documentation seems to suggest that it is only possible to source from the core channels: {'application', 'system', 'setup', 'security'}. But there is also a reference to 'HardwareEvents', and indeed this passes configuration/launch. But one can't then use 'WindowsPowerShell' - this configuration is rejected as an invalid channel.
The
read_all_channelsoption seems to do what is says on the tin, and correctly harvests 'complicated' channel names, e.g: Microsoft-Windows-Diagnosis-PCW/Operational. However, it is not then possible to use this same channel name when configuring.Perhaps I am missing something in terms of the escaping rules for channel name definition?