newrelic / infrastructure-agent

New Relic Infrastructure Agent
https://docs.newrelic.com/docs/infrastructure/install-configure-manage-infrastructure
Apache License 2.0
139 stars 130 forks source link

Forward winevtlog logs by Custom Views #1941

Open LLHogia opened 1 month ago

LLHogia commented 1 month ago

Description

All Windows Server has a default Custom View in Event Viewer called "Administrative Events". This view is dynamically updated based on which features that are enabled on the server.

For example. Servers that has a Failover Cluster will have the below sections in the view (if exporting it as XML and open it in an editor):

<Select Path="Microsoft-Windows-FailoverClustering-Manager/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>
<Select Path="Microsoft-Windows-FailoverClustering-WMIProvider/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>

But these paths will not appear on a server which doesn't have a Failover Cluster.

Acceptance Criteria

Make it possible to tail a Custom View which could be used to tail the default view named "Administrative Events" or user specific views. Because at least the default view is already filtered on Critical, Error and Warning.

Describe Alternatives

Another solution would be to make it possible to add a list of channels and levels like this:

logs:
  - name: windows-administrative-events
    winevtlog:
      # List of all channels you want to collect logs from
      channels:
        - Application
        - Security
        - System
        - HardwareEvents
        - Microsoft-AppV-Client/Admin
        - Microsoft-AppV-Client/Virtual Applications
        - Microsoft-Windows-All-User-Install-Agent/Admin
        - Microsoft-Windows-AppHost/Admin
        - Microsoft-Windows-Application Server-Applications/Admin
        - Microsoft-Windows-AppModel-Runtime/Admin
        - Microsoft-Windows-User Device Registration/Admin
        - Microsoft-Windows-VerifyHardwareSecurity/Admin
        - Microsoft-Windows-Workplace Join/Admin
        - OpenSSH/Admin
        - Windows PowerShell
      # Set the severity levels (1, 2, 3)
      levels:
        - Critical
        - Error
        - Warning
    attributes:
      logtype: windows_administrative

Dependencies

Do any other teams or parts of the New Relic product need to be considered? No, not that I'm aware of, this will only affect the Infrastructure Agent for Windows.

Additional context

N/A

Estimates

M?

For Maintainers Only or Hero Triaging this bug

Suggested Priority (P1,P2,P3,P4,P5): P2 Suggested T-Shirt size (S, M, L, XL, Unknown): Unknown

workato-integration[bot] commented 1 month ago

https://new-relic.atlassian.net/browse/NR-331997