Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forward winevtlog logs by Custom Views #1941

Open
LLHogia opened this issue Oct 24, 2024 · 1 comment
Open

Forward winevtlog logs by Custom Views #1941

LLHogia opened this issue Oct 24, 2024 · 1 comment
Labels
feature request Categorizes issue or PR as related to a new feature or enhancement.

Comments

@LLHogia
Copy link

LLHogia commented Oct 24, 2024

Description

All Windows Server has a default Custom View in Event Viewer called "Administrative Events". This view is dynamically updated based on which features that are enabled on the server.

For example. Servers that has a Failover Cluster will have the below sections in the view (if exporting it as XML and open it in an editor):

<Select Path="Microsoft-Windows-FailoverClustering-Manager/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>
<Select Path="Microsoft-Windows-FailoverClustering-WMIProvider/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>

But these paths will not appear on a server which doesn't have a Failover Cluster.

Acceptance Criteria

Make it possible to tail a Custom View which could be used to tail the default view named "Administrative Events" or user specific views. Because at least the default view is already filtered on Critical, Error and Warning.

Describe Alternatives

Another solution would be to make it possible to add a list of channels and levels like this:

logs:
  - name: windows-administrative-events
    winevtlog:
      # List of all channels you want to collect logs from
      channels:
        - Application
        - Security
        - System
        - HardwareEvents
        - Microsoft-AppV-Client/Admin
        - Microsoft-AppV-Client/Virtual Applications
        - Microsoft-Windows-All-User-Install-Agent/Admin
        - Microsoft-Windows-AppHost/Admin
        - Microsoft-Windows-Application Server-Applications/Admin
        - Microsoft-Windows-AppModel-Runtime/Admin
        - Microsoft-Windows-User Device Registration/Admin
        - Microsoft-Windows-VerifyHardwareSecurity/Admin
        - Microsoft-Windows-Workplace Join/Admin
        - OpenSSH/Admin
        - Windows PowerShell
      # Set the severity levels (1, 2, 3)
      levels:
        - Critical
        - Error
        - Warning
    attributes:
      logtype: windows_administrative

Dependencies

Do any other teams or parts of the New Relic product need to be considered?
No, not that I'm aware of, this will only affect the Infrastructure Agent for Windows.

Additional context

N/A

Estimates

M?

For Maintainers Only or Hero Triaging this bug

Suggested Priority (P1,P2,P3,P4,P5): P2
Suggested T-Shirt size (S, M, L, XL, Unknown): Unknown
@LLHogia LLHogia added the feature request Categorizes issue or PR as related to a new feature or enhancement. label Oct 24, 2024
@workato-integration
Copy link

https://new-relic.atlassian.net/browse/NR-331997

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Categorizes issue or PR as related to a new feature or enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LLHogia