Replies: 1 comment 2 replies
-
|
And honestly, it's not just process information, but much more than that as well: process names, process PIDs, usernames, accounts and domains, most of the other tools I'm seeing parse this information out. With winevtlog I can see these values in the |
Beta Was this translation helpful? Give feedback.
-
|
@cosmo0920 likely knows the best but I suspect the data is not parsed at the moment - now you can add a parser yeah as a filter/processor for the input to do it. I'm not sure if this input is so wildly varied across Windows versions, etc. that it did not make sense at the time to have them parsed out (plus everyone would want something slightly different). |
Beta Was this translation helpful? Give feedback.
-
|
Yup, in winevtlog plugin, the message field is already interpolated by string inserts variables. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm comparing output from fluent bit's winevtlog input to similar tools such as Winlogbeat and evtx.
With these other tools, process information about an executable (e.g.,
C:\Program Files\Google\Chrome\Application\chrome.exe) or command line (e.g.,C:\Windows\System32\RuntimeBroker.exe -Embedding) are available in specific fields for these values. With fluent bit's winevtlog, I can sometimes see executable names in the stringinserts, but this is much less convenient than filtering directly on a field intended for this purpose.Is there a way to get this sort of process information in the output of fluent bit's windows event log input? Or do I have to do post-processing of StringInserts and look for strings ending in
.exeor something like that to get the same effect?Beta Was this translation helpful? Give feedback.
All reactions