search

influxdata / telegraf

Agent for collecting, processing, aggregating, and writing metrics, logs, and other arbitrary data.
https://influxdata.com/telegraf
MIT License
14.14k stars 5.52k forks source link

[inputs.win_eventlog] Telegraf agent not collecting custom event logs #15326

Closed bloodmc closed 2 months ago

bloodmc commented 2 months ago

Relevant telegraf.conf

# # Input plugin to collect Windows Event Log messages
# # This plugin ONLY supports Windows

  [[inputs.win_eventlog]]
    locale = 1033
    eventlog_name = "WEC-Account-Management"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Application-Crashes"
    locale = 1033
    eventlog_name = "WEC-Application-Crashes"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Autoruns"
    locale = 1033
    eventlog_name = "WEC-Autoruns"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Authentication"
    locale = 1033
    eventlog_name = "WEC-Authentication"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-External-Devices"
    locale = 1033
    eventlog_name = "WEC-External-Devices"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Windows-Firewall"
    locale = 1033
    eventlog_name = "WEC-Windows-Firewall"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-GPO-Errors"
    locale = 1033
    eventlog_name = "WEC-GPO-Errors"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Log-Deletion-Security"
    locale = 1033
    eventlog_name = "WEC-Log-Deletion-Security"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Log-Deletion-System"
    locale = 1033
    eventlog_name = "WEC-Log-Deletion-System"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-MSI-Packages"
    locale = 1033
    eventlog_name = "WEC-MSI-Packages"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Object-Manipulation"
    locale = 1033
    eventlog_name = "WEC-Object-Manipulation"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Powershell"
    locale = 1033
    eventlog_name = "WEC-Powershell"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]
   # exclude_fields = ["Message"]

  [[inputs.win_eventlog]]
    alias = "WEC-Process-Execution"
    locale = 1033
    eventlog_name = "WEC-Process-Execution"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Services"
    locale = 1033
    eventlog_name = "WEC-Services"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Sysmon"
    locale = 1033
    eventlog_name = "WEC-Sysmon"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Registry"
    locale = 1033
    eventlog_name = "WEC-Registry"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Task-Scheduler"
    locale = 1033
    eventlog_name = "WEC-Task-Scheduler"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Terminal-Services"
    locale = 1033
    eventlog_name = "WEC-Terminal-Services"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

  [[inputs.win_eventlog]]
    alias = "WEC-Windows-Updates"
    locale = 1033
    eventlog_name = "WEC-Windows-Updates"
    from_beginning = false
    process_userdata = true
    process_eventdata = true
    event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
    event_fields = ["*"]

Logs from Telegraf

2024-05-08T18:29:17Z I! Starting Telegraf 1.31.0-6f575a2f brought to you by InfluxData the makers of InfluxDB
2024-05-08T18:29:17Z I! Available plugins: 234 inputs, 9 aggregators, 32 processors, 25 parsers, 60 outputs, 5 secret-stores
2024-05-08T18:29:17Z I! Loaded inputs: win_eventlog (19x)
2024-05-08T18:29:17Z I! Loaded aggregators: 
2024-05-08T18:29:17Z I! Loaded processors: 
2024-05-08T18:29:17Z I! Loaded secretstores: 
2024-05-08T18:29:17Z I! Loaded outputs: loki
2024-05-08T18:29:17Z I! Tags enabled: host=smevent
2024-05-08T18:29:17Z I! [agent] Config: Interval:20s, Quiet:false, Hostname:"smevent", Flush Interval:20s
2024-05-08T18:29:17Z D! [agent] Initializing plugins
2024-05-08T18:29:17Z D! [agent] Connecting outputs
2024-05-08T18:29:17Z D! [agent] Attempting connection to [outputs.loki]
2024-05-08T18:29:17Z D! [agent] Successfully connected to outputs.loki
2024-05-08T18:29:17Z D! [agent] Starting service inputs

System info

Telegraf 1.30.1, Windows Server 2022 Standard and pushing logs to loki

Docker

Manual setup. (No docker used)

Steps to reproduce

  1. Start telegraf agent using above config.
  2. It gets stuck after startup and stops logging

Expected behavior

To collect the custom windows event channels without failing.

Actual behavior

The telegraf agent starts and gets into a bad state where it stops logging or collecting logs.

Additional info

Following https://github.com/palantir/windows-event-forwarding as a great reference for setting up windows event forwarding. One reference in the guide is to setup custom windows event channels as the default windows events can be limited based on what you need to audit. I was able to successfully configure all custom event channels as per the guide and everything logs correctly but fails to be collected by Telegraf. Using the debug build from another ticket, it shows no relevant logs to pinpoint issue. If I attempt to shutdown the service after startup, it always gives the following error

Windows could not stop the Telegraf Data Collector Service service on Local Computer
Error 1067: The process terminated unexpectedly
srebhan commented 2 months ago

@bloodmc could you please start Telegraf manually in a CMD window with telegraf.exe ... --test --debug to see what is going on?

bloodmc commented 2 months ago

@bloodmc could you please start Telegraf manually in a CMD window with telegraf.exe ... --test --debug to see what is going on?

Here you go

2024-05-08T19:01:31Z I! Starting Telegraf 1.31.0-6f575a2f brought to you by InfluxData the makers of InfluxDB
2024-05-08T19:01:31Z I! Available plugins: 234 inputs, 9 aggregators, 32 processors, 25 parsers, 60 outputs, 5 secret-stores
2024-05-08T19:01:31Z I! Loaded inputs: win_eventlog (19x)
2024-05-08T19:01:31Z I! Loaded aggregators: 
2024-05-08T19:01:31Z I! Loaded processors: 
2024-05-08T19:01:31Z I! Loaded secretstores: 
2024-05-08T19:01:31Z W! Outputs are not used in testing mode!
2024-05-08T19:01:31Z I! Tags enabled: host=smevent
2024-05-08T19:01:31Z D! [agent] Initializing plugins
2024-05-08T19:01:31Z D! [agent] Starting service inputs
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Application-Crashes: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Autoruns: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Subscription handle id:20
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-External-Devices: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Windows-Firewall: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-GPO-Errors: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Log-Deletion-Security: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Log-Deletion-System: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-MSI-Packages: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Object-Manipulation: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Subscription handle id:21
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Subscription handle id:22
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Subscription handle id:23
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Sysmon: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Registry: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Task-Scheduler: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Terminal-Services: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z E! [agent] Starting input inputs.win_eventlog::WEC-Windows-Updates: subscription of Windows Event Log failed: The specified channel could not be found.
2024-05-08T19:01:31Z D! [inputs.win_eventlog] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Updates] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-External-Devices] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-External-Devices] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-External-Devices] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Gather: fetching events
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-External-Devices] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-External-Devices] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-GPO-Errors] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-GPO-Errors] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-GPO-Errors] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-MSI-Packages] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Sysmon] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Registry] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Terminal-Services] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Application-Crashes] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Autoruns] Gather: fetching events
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Gather: done
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Updates] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Updates] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Fetching event handles: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Firewall] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-GPO-Errors] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-GPO-Errors] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Gather: done
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-System] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-System] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-MSI-Packages] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-MSI-Packages] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Fetching events: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Object-Manipulation] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Object-Manipulation] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Sysmon] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Sysmon] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Registry] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Registry] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Terminal-Services] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Terminal-Services] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Application-Crashes] Fetching events: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog] Fetching event handles: start
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Autoruns] Fetching events: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Updates] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Firewall] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Fetching events: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-MSI-Packages] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-MSI-Packages] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Fetching event handles: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Sysmon] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Sysmon] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Gather: done
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Registry] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Registry] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Task-Scheduler] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Task-Scheduler] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Application-Crashes] Fetching event handles: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Terminal-Services] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Terminal-Services] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Autoruns] Fetching event handles: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Updates] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Fetching event handles: start
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-Security] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-Security] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Gather: done
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Application-Crashes] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Application-Crashes] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Autoruns] Error getting events: The handle is invalid.
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Autoruns] Error in plugin: The handle is invalid.
2024-05-08T19:01:31Z D! [agent] Stopping service inputs
2024-05-08T19:01:31Z D! [inputs.win_eventlog] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Application-Crashes] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Application-Crashes] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Application-Crashes] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Autoruns] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Autoruns] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Autoruns] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Closing subscription handles
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Authentication] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-External-Devices] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-External-Devices] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-External-Devices] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Firewall] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-GPO-Errors] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-GPO-Errors] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-GPO-Errors] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-Security] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Log-Deletion-System] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-MSI-Packages] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-MSI-Packages] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-MSI-Packages] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Object-Manipulation] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Closing subscription handles
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Powershell] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Closing subscription handles
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Process-Execution] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Closing subscription handles
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Services] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Sysmon] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Sysmon] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Sysmon] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Registry] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Registry] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Registry] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Task-Scheduler] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Terminal-Services] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Terminal-Services] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Terminal-Services] Close complete
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Updates] Closing subscription handles
2024-05-08T19:01:31Z E! [inputs.win_eventlog::WEC-Windows-Updates] Error closing subscription handle: The handle is invalid.
2024-05-08T19:01:31Z D! [inputs.win_eventlog::WEC-Windows-Updates] Close complete
2024-05-08T19:01:31Z D! [agent] Input channel closed
2024-05-08T19:01:31Z D! [agent] Stopped Successfully
2024-05-08T19:01:31Z E! [telegraf] Error running agent: input plugins recorded 45 errors

So my assumption was right in that it is unable to find these custom event channels yet they do exist. Here is a screenshot of one https://i.imgur.com/RH8V6Qc.png

Here is a screenshot showing the structure in Event Viewer https://i.imgur.com/2sEqy5G.png

bloodmc commented 2 months ago

Actually I thought I renamed the paths. Let me readjust where they are checking because I have everything under WEC-

bloodmc commented 2 months ago

Sorry about that. This was a mess up on my side where I thought I went back and fixed the paths. I'll use --test --debug from now on. Thanks!

Here is the new log for reference

2024-05-08T19:16:17Z I! Starting Telegraf 1.31.0-6f575a2f brought to you by InfluxData the makers of InfluxDB
2024-05-08T19:16:17Z I! Available plugins: 234 inputs, 9 aggregators, 32 processors, 25 parsers, 60 outputs, 5 secret-stores
2024-05-08T19:16:17Z I! Loaded inputs: win_eventlog (19x)
2024-05-08T19:16:17Z I! Loaded aggregators: 
2024-05-08T19:16:17Z I! Loaded processors: 
2024-05-08T19:16:17Z I! Loaded secretstores: 
2024-05-08T19:16:17Z W! Outputs are not used in testing mode!
2024-05-08T19:16:17Z I! Tags enabled: host=smevent
2024-05-08T19:16:17Z D! [agent] Initializing plugins
2024-05-08T19:16:17Z D! [agent] Starting service inputs
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Subscription handle id:20
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Subscription handle id:21
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Subscription handle id:22
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Subscription handle id:23
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Subscription handle id:24
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Subscription handle id:25
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Subscription handle id:26
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Subscription handle id:27
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Subscription handle id:28
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Subscription handle id:29
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Subscription handle id:30
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Subscription handle id:31
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Subscription handle id:32
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Subscription handle id:33
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Subscription handle id:34
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Subscription handle id:35
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Subscription handle id:36
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Subscription handle id:37
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Subscription handle id:38
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Gather: fetching events
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Fetching events: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Fetching event handles: start
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Gather: done
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Gather: done
2024-05-08T19:16:17Z D! [agent] Stopping service inputs
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Application-Crashes] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Autoruns] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Authentication] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-External-Devices] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-GPO-Errors] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-MSI-Packages] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Powershell] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Process-Execution] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Services] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Sysmon] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Registry] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Terminal-Services] Close complete
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Closing subscription handles
2024-05-08T19:16:17Z D! [inputs.win_eventlog::WEC-Windows-Updates] Close complete
2024-05-08T19:16:17Z D! [agent] Input channel closed
2024-05-08T19:16:17Z D! [agent] Stopped Successfully
2024-05-08T19:16:50Z I! Starting Telegraf 1.31.0-6f575a2f brought to you by InfluxData the makers of InfluxDB
2024-05-08T19:16:50Z I! Available plugins: 234 inputs, 9 aggregators, 32 processors, 25 parsers, 60 outputs, 5 secret-stores
2024-05-08T19:16:50Z I! Loaded inputs: win_eventlog (19x)
2024-05-08T19:16:50Z I! Loaded aggregators: 
2024-05-08T19:16:50Z I! Loaded processors: 
2024-05-08T19:16:50Z I! Loaded secretstores: 
2024-05-08T19:16:50Z I! Loaded outputs: loki
2024-05-08T19:16:50Z I! Tags enabled: host=smevent
2024-05-08T19:16:50Z I! [agent] Config: Interval:20s, Quiet:false, Hostname:"smevent", Flush Interval:20s
2024-05-08T19:16:50Z D! [agent] Initializing plugins
2024-05-08T19:16:50Z D! [agent] Connecting outputs
2024-05-08T19:16:50Z D! [agent] Attempting connection to [outputs.loki]
2024-05-08T19:16:50Z D! [agent] Successfully connected to outputs.loki
2024-05-08T19:16:50Z D! [agent] Starting service inputs
2024-05-08T19:16:50Z D! [inputs.win_eventlog] Subscription handle id:20
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Application-Crashes] Subscription handle id:21
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Autoruns] Subscription handle id:22
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Authentication] Subscription handle id:23
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-External-Devices] Subscription handle id:24
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Windows-Firewall] Subscription handle id:25
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-GPO-Errors] Subscription handle id:26
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Log-Deletion-Security] Subscription handle id:27
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Log-Deletion-System] Subscription handle id:28
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-MSI-Packages] Subscription handle id:29
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Object-Manipulation] Subscription handle id:30
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Powershell] Subscription handle id:31
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Process-Execution] Subscription handle id:32
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Services] Subscription handle id:33
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Sysmon] Subscription handle id:34
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Registry] Subscription handle id:35
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Task-Scheduler] Subscription handle id:36
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Terminal-Services] Subscription handle id:37
2024-05-08T19:16:50Z D! [inputs.win_eventlog::WEC-Windows-Updates] Subscription handle id:38