Skip to content

Forward winevtlog logs by Custom Views #1941

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Forward winevtlog logs by Custom Views#1941
Labels
feature requestCategorizes issue or PR as related to a new feature or enhancement.
@LLHogia

Description

@LLHogia
LLHogia
opened on Oct 24, 2024

Description

All Windows Server has a default Custom View in Event Viewer called "Administrative Events". This view is dynamically updated based on which features that are enabled on the server.

For example. Servers that has a Failover Cluster will have the below sections in the view (if exporting it as XML and open it in an editor):

<Select Path="Microsoft-Windows-FailoverClustering-Manager/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>
<Select Path="Microsoft-Windows-FailoverClustering-WMIProvider/Admin">*[System[Level=1  or Level=2 or Level=3]]</Select>

But these paths will not appear on a server which doesn't have a Failover Cluster.

Acceptance Criteria

Make it possible to tail a Custom View which could be used to tail the default view named "Administrative Events" or user specific views. Because at least the default view is already filtered on Critical, Error and Warning.

Describe Alternatives

Another solution would be to make it possible to add a list of channels and levels like this:

logs:
  - name: windows-administrative-events
    winevtlog:
      # List of all channels you want to collect logs from
      channels:
        - Application
        - Security
        - System
        - HardwareEvents
        - Microsoft-AppV-Client/Admin
        - Microsoft-AppV-Client/Virtual Applications
        - Microsoft-Windows-All-User-Install-Agent/Admin
        - Microsoft-Windows-AppHost/Admin
        - Microsoft-Windows-Application Server-Applications/Admin
        - Microsoft-Windows-AppModel-Runtime/Admin
        - Microsoft-Windows-User Device Registration/Admin
        - Microsoft-Windows-VerifyHardwareSecurity/Admin
        - Microsoft-Windows-Workplace Join/Admin
        - OpenSSH/Admin
        - Windows PowerShell
      # Set the severity levels (1, 2, 3)
      levels:
        - Critical
        - Error
        - Warning
    attributes:
      logtype: windows_administrative

Dependencies

Do any other teams or parts of the New Relic product need to be considered?
No, not that I'm aware of, this will only affect the Infrastructure Agent for Windows.

Additional context

N/A

Estimates

M?

For Maintainers Only or Hero Triaging this bug

Suggested Priority (P1,P2,P3,P4,P5): P2
Suggested T-Shirt size (S, M, L, XL, Unknown): Unknown

Metadata

Assignees

No one assigned

    Labels

    feature requestCategorizes issue or PR as related to a new feature or enhancement.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions