search

fluent / fluentd-docs

This repository is deprecated. Go to fluentd-docs-gitbook repository.
49 stars 119 forks source link

Hello, cannot load Windows event logs #572

Closed mimachniak closed 5 years ago

mimachniak commented 5 years ago

When I lunch fluentd with configuration I get this message

0 no patterns matched tag="winevt.raw"

cosmo0920 commented 5 years ago

Could you share your configuration?

mimachniak commented 5 years ago

Sure, I'm useing wWindows 2012 R2 with this configuration,

# Output descriptions: # Treasure Data (http://www.treasure-data.com/) provides cloud based data # analytics platform, which easily stores and processes data from td-agent. # FREE plan is also provided. # @see http://docs.fluentd.org/articles/http-to-td # This section matches events whose tag is td.DATABASE.TABLE <match td..> @type tdlog @id output_td apikey YOUR_API_KEY auto_create_table @type file path /var/log/td-agent/buffer/td @type file path /var/log/td-agent/failed_records ## match tag=debug. and dump to console <match debug.> @type stdout @id output_stdout ## Source descriptions: ## built-in TCP input ## @see http://docs.fluentd.org/articles/in_forward @type forward @id input_forward ## built-in UNIX socket input # # type unix # # HTTP input # POST http://localhost:8888/?json= # POST http://localhost:8888/td.myapp.login?json={"user"%3A"me"} # @see http://docs.fluentd.org/articles/in_http @type http @id input_http port 8888 ## live debugging agent @type debug_agent @id input_debug_agent bind 127.0.0.1 port 24230 ## windows_eventlog @type windows_eventlog @id windows_eventlog channels application,system read_interval 2 tag winevt.raw @type local # @type local is the default. persistent true # default is true. Set to false to use in-memory storage. path ./tmp/storage.json # This is required when persistent is true. # Or, please consider using section's root_dir parameter. `

And this I get when start process:

4:06:11 -0700 [info]: parsing config file is succeeded path="C:/opt/td-agent/etc/td-agent/td-agent.conf" 2018-10-07 04:06:12 -0700 [warn]: [output_td] secondary type should be same with primary one primary="Fluent::Plugin::TreasureDataLogOutput" secondary="Fluent::Plugin::FileOutput" 2018-10-07 04:06:12 -0700 [info]: using configuration file: <match td..> @type tdlog @id output_td apikey xxxxxx auto_create_table

@type "file" path "/var/log/td-agent/buffer/td" 
<secondary>
  @type "file"
  path "/var/log/td-agent/failed_records"
  <buffer time>
    path /var/log/td-agent/failed_records
  </buffer>
</secondary>

<match debug.**> @type stdout @id output_stdout 

@type forward
@id input_forward

@type http
@id input_http
port 8888

@type debug_agent
@id input_debug_agent
bind "127.0.0.1"
port 24230

@type windows_eventlog
@id windows_eventlog
channels application,system
read_interval 2
tag "winevt.raw"
<storage>
  @type "local"
  persistent true
  path "./tmp/storage.json"
</storage>

2018-10-07 04:06:12 -0700 [info]: starting fluentd-1.0.2 pid=1980 ruby="2.4.2" 2018-10-07 04:06:12 -0700 [info]: spawn command to main: cmdline=["C:/opt/td-agent/embedded/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/opt/td-agent/embedded/bin/fluentd", "-c", "C:/opt/td-agent/etc/td-agent/td-agent.conf", "-o", "C:/opt/td-agent/td-agent.log", "-x", "fluentdwinsvc", "--under-supervisor"] 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-elasticsearch' version '2.4.0' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-kafka' version '0.6.5' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '2.0.1' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-s3' version '1.1.0' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-td' version '1.0.0' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-td-monitoring' version '0.2.3' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-webhdfs' version '1.2.2' 2018-10-07 04:06:14 -0700 [info]: gem 'fluent-plugin-windows-eventlog' version '0.2.2' 2018-10-07 04:06:14 -0700 [info]: gem 'fluentd' version '1.0.2' 2018-10-07 04:06:14 -0700 [info]: adding match pattern="td.." type="tdlog" 2018-10-07 04:06:14 -0700 [warn]: #0 [output_td] secondary type should be same with primary one primary="Fluent::Plugin::TreasureDataLogOutput" secondary="Fluent::Plugin::FileOutput" 2018-10-07 04:06:14 -0700 [info]: adding match pattern="debug.**" type="stdout" 2018-10-07 04:06:14 -0700 [info]: adding source type="forward" 2018-10-07 04:06:14 -0700 [info]: adding source type="http" 2018-10-07 04:06:14 -0700 [info]: adding source type="debug_agent" 2018-10-07 04:06:14 -0700 [info]: adding source type="windows_eventlog" 2018-10-07 04:06:14 -0700 [info]: #0 starting fluentd worker pid=2856 ppid=1980 worker=0 2018-10-07 04:06:15 -0700 [info]: #0 [input_debug_agent] listening dRuby uri="druby://127.0.0.1:24230" object="Fluent::Engine" 2018-10-07 04:06:15 -0700 [info]: #0 [input_forward] listening port port=24224 bind="0.0.0.0" 2018-10-07 04:06:15 -0700 [info]: #0 fluentd worker is now running worker=0 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw" 2018-10-07 04:06:17 -0700 [warn]: #0 no patterns matched tag="winevt.raw"

cosmo0920 commented 5 years ago

You can use winevt.raw pattern like the following:

<match winevt.raw>
  @type stdout
  @id output_stdout
</match>

Otherwise, winevt.raw is not handled in your configuration. Default configuration does not handle winevt.raw.

fujimotos commented 5 years ago

Apparently this question has been multiposted. So I'll close this one.

https://github.com/fluent/fluent-plugin-windows-eventlog/issues/12