Comments (3)
cosmo0920
commented on June 12, 2024
I reproduce your issue and I found a workaround for this case:
pipeline:
inputs:
- name: winevtlog
tag: some-tag
alias: WIndows alias
channels: application
interval_sec: 5
read_existing_events: true
db: .\checkpoint.db
render_event_as_xml: true
read_limit_per_cycle: 2m
event_query: |
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[TimeCreated[@SystemTime>='2024-04-22T07:30:22.000Z' and @SystemTime<='2024-04-22T09:30:22.999Z']]]</Select>
</Query>
</QueryList>
- name: winevtlog
tag: some-tag
alias: WIndows alias
channels: security
interval_sec: 5
read_existing_events: true
db: .\checkpoint.db
render_event_as_xml: true
read_limit_per_cycle: 2m
event_query: |
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Security">*[System[TimeCreated[@SystemTime>='2024-04-22T07:30:22.000Z' and @SystemTime<='2024-04-22T09:30:22.999Z']]]</Select>
</Query>
</QueryList>
- name: winevtlog
tag: some-tag
alias: WIndows alias
channels: system
interval_sec: 5
read_existing_events: true
db: .\checkpoint.db
render_event_as_xml: true
read_limit_per_cycle: 2m
event_query: |
<QueryList>
<Query Id="0" Path="Application">
<Select Path="System">*[System[TimeCreated[@SystemTime>='2024-04-22T07:30:22.000Z' and @SystemTime<='2024-04-22T09:30:22.999Z']]]</Select>
</Query>
</QueryList>Meanwhile it needs to define the event_query per channels. This is because the bookmark will be forcibly restored the information which needs to subscribe channels. This shouldn't be expected behavior. So, defining one-by-one style shouldn't mixed up the conditions which should filter and collect Windows EventLogs.
from fluent-bit.
harshnasitcrest
commented on June 12, 2024
If the channels are accepting multiple inputs, fluent bit should ideally have each stanza for query per channel in the configuration file. Is that correct understanding?
Above workaround might work but users who are already using this would be already facing this issue. Should this workaround be documented until fixed?
from fluent-bit.
cosmo0920
commented on June 12, 2024
If the
channelsare accepting multiple inputs, fluent bit should ideally have each stanza for query per channel in the configuration file. Is that correct understanding?
Ideally, it's correct. However, Fluent Bit does not have the capability for now.
Above workaround might work but users who are already using this would be already facing this issue. Should this workaround be documented until fixed?
TBH, I have never heard that struggling things because QueryList with XML representation should be difficult to put in Fluent Bit configurations. Many of users should use easier configurations than yours.
from fluent-bit.
Related Issues (20)
- Multiline is processing lines out of order
- Need Grok parsing support in fluentbit HOT 3
- Amazon S3: Mismatch when reading HTTP header from GCS
- Configuration reload or SIGINT does not interrupt flushing output plugin with retry_limit=False, potential loops forever
- Fluent Bit occasionally corrupts/truncates log entries when processing multiple log files. HOT 1
- IPv6 support for the AWS Metadata filter
- Fluentbit OpenTelemetry Plugins drops some fields from metrics
- Provide docker images that can run on asahi-linux HOT 1
- Systemd_filter not working HOT 3
- Stackdriver Output When not on GCP/GCE
- [out_loki] A lot of warning 'Tenant ID is overwritten A -> B' if tenant_id_key is used HOT 2
- Binary data over tcp input
- tail input stops reading data and gets stuck forever unless deleting SQLite DB
- Connection metadata annotating logs.
- Fluent-bit version 1.9.6 [ Error] timerfd: Too many open files, errno=24 at /__w/1/s/external/fluent-bit/lib/monkey/mk_core/mk_event_epoll.c:208 HOT 3
- Error Encountered During Hot Reload in Fluent Bit 3.0.2 HOT 3
- Fluent Bit silently ignores wrong parameter names in the service section
- FluentBit regex is matched, but I can't find my field, such as level etc. HOT 4
- Multiple issues with Fluent Bit - SIGSEGV, error deleting file at close, fail to drop enough chunks in order to place new data HOT 1
- Update getting failed while at the time of docker build
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fluent-bit.