[receiver/windowseventlog] Add SID resolution feature#45878
Merged
atoulme merged 28 commits intoopen-telemetry:mainfrom Mar 6, 2026
Merged
[receiver/windowseventlog] Add SID resolution feature#45878atoulme merged 28 commits intoopen-telemetry:mainfrom
atoulme merged 28 commits intoopen-telemetry:mainfrom
Conversation
|
|
Contributor
|
Welcome, contributor! Thank you for your contribution to opentelemetry-collector-contrib. Important reminders:
A maintainer will review your pull request soon. Thank you for helping make OpenTelemetry better! |
Contributor
|
@postnati, fyi - I can only start reviewing on Monday |
pjanotti
reviewed
Feb 10, 2026
postnati
force-pushed
the
gpattison/PIPE-563-resolve-sids
branch
from
3c8a4b3 to
4976faf
Compare
Member
|
/workflow-approve |
postnati
force-pushed
the
gpattison/PIPE-563-resolve-sids
branch
from
4976faf to
4c6f3d7
Compare
Contributor
Author
|
Rebased onto contrib upstream/main. Fixed lint issues with Windows-only code used by cache_windows.go, and removed the dead lookupSID stub from cache_other.go. @pjanotti Is there anything else that needs to be done to get this merged? |
Contributor
|
Sorry @postnati somehow I missed the changes after my round of comments, looking... |
Implements core SID resolution caching with: - LRU cache with configurable size and TTL - Windows LSA API integration via LsaLookupSids2 - Well-known SID static map (S-1-5-18, BUILTIN groups, etc.) - Thread-safe cache with atomic statistics - Platform-specific builds (Windows vs other) The cache provides fast local SID-to-username resolution without requiring remote LDAP/AD queries. Part of PIPE-563: SID resolution for Windows Event Log Receiver
Tests cover: - Cache creation with various configurations - Well-known SID resolution (S-1-5-18, BUILTIN groups, etc.) - Invalid SID format handling - SID field name detection - Cache statistics tracking - Cache lifecycle (close/cleanup) - SID format validation All tests pass on macOS (using well-known SIDs only). Windows-specific LSA API tests will be validated on Windows platform. Part of PIPE-563: SID resolution for Windows Event Log Receiver
Adds configuration options for SID-to-username resolution:
- enabled: Enable/disable SID resolution (default: false)
- cache_size: Maximum cached SIDs (default: 10000)
- cache_ttl: Cache entry lifetime (default: 15m)
Configuration example:
```yaml
receivers:
windowseventlog:
channel: Security
resolve_sids:
enabled: true
cache_size: 50000
cache_ttl: 30m
```
Part of PIPE-563: SID resolution for Windows Event Log Receiver
Adds complete SID-to-username resolution with log enrichment:
**Consumer Wrapper (`sid_enrichment_windows.go`):**
- Intercepts logs from Stanza adapter
- Enriches security.user_id field with resolved SID data
- Enriches all SID fields in event_data (SubjectUserSid, TargetUserSid, etc.)
- Adds companion fields: *_Resolved, *_Domain, *_Account, *_Type
- Handles both array and flat event_data formats
- Graceful error handling with debug logging
**Factory Integration (`receiver_windows.go`):**
- Creates SID cache when resolve_sids.enabled = true
- Wraps consumer with SID enrichment before Stanza adapter
- Cache lifecycle managed by receiver (created at startup)
- Logs cache configuration on initialization
**Cross-Platform Support (`sid_enrichment_other.go`):**
- Stub for macOS/Linux (compiles but no-op)
- Allows development on non-Windows platforms
Example enriched output:
```json
"event_data": {
"data": [
{"SubjectUserSid": "S-1-5-18"},
{"SubjectUserSid_Resolved": "NT AUTHORITY\\SYSTEM"},
{"SubjectUserSid_Domain": "NT AUTHORITY"},
{"SubjectUserSid_Account": "SYSTEM"},
{"SubjectUserSid_Type": "WellKnownGroup"}
]
}
```
Part of PIPE-563: SID resolution for Windows Event Log Receiver
Fixes compilation error where raw values were passed to Logger.Info instead of using zap.Int() and zap.Duration() field constructors. Part of PIPE-563: SID resolution for Windows Event Log Receiver
…ry documentation - Add testdata directory with test configurations from upstream OTel contrib - Remove temporary SID resolution documentation files
…ntribution Update copyright headers from observIQ to OpenTelemetry Authors with SPDX license identifiers, and migrate import paths from bindplane-otel-collector to opentelemetry-collector-contrib. Also update documentation and configuration examples to reflect the new build process and binary names. Changes: - Replace observIQ copyright with OpenTelemetry Authors copyright and SPDX-License-Identifier - Update import paths from github.com/observiq/bindplane-otel-collector to github.com/open-telemetry/opentelemetry-collector-contrib - Fix linter issues: use errors.New instead of fmt.Errorf, fix unused receiver warning, add nolint directive for non-Windows stub - Update testdata documentation with correct build commands and binary names - Update collector configuration examples with new binary names
Add changelog entry for the Windows Event Log Receiver SID resolution enhancement per OpenTelemetry contribution guidelines.
Links changelog entry to upstream issue for SID resolution feature.
Assisted-by: Claude Opus 4.6
…ent concurrency safety Assisted-by: Claude Opus 4.6
postnati
force-pushed
the
gpattison/PIPE-563-resolve-sids
branch
from
1d59418 to
853e03c
Compare
…go.mod to add back in golang-lru
pjanotti
approved these changes
Mar 6, 2026
pjanotti
added
the
ready to merge
Contributor
|
Thank you for your contribution @postnati! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey. If you are getting started contributing, you can also join the CNCF Slack channel #opentelemetry-new-contributors to ask for guidance and get help. |
rite7sh
pushed a commit
to rite7sh/opentelemetry-collector-contrib
that referenced
this pull request
Mar 9, 2026
…#45878) #### Description Adds automatic Security Identifier (SID) resolution to the Windows Event Log Receiver. This enhancement resolves Windows SIDs to human-readable user and group names using the Windows LSA API, making Windows event logs significantly more usable for security operations. #### Link to tracking issue Fixes open-telemetry#45875 #### Testing Comprehensive unit tests added covering: - Cache operations (Get, Set, Close) - Well-known SID resolution (45+ built-in mappings) - Invalid SID handling - SID field detection logic - End-to-end enrichment scenarios - Platform-specific builds (Windows/non-Windows) #### Documentation Added comprehensive documentation to README.md, including: - Complete configuration options and defaults - Before/after examples with real SID resolution - Performance characteristics and benchmarks - Troubleshooting guide - Well-known SIDs reference - Configuration example files in testdata/ **Documentation Files:** - `receiver/windowseventlogreceiver/README.md` - Updated with SID information - `receiver/windowseventlogreceiver/testdata/README.md` - Complete setup guide - `receiver/windowseventlogreceiver/testdata/collector-config-example.yaml` - Example config
rite7sh
added a commit
to rite7sh/opentelemetry-collector-contrib
that referenced
this pull request
Mar 9, 2026
…#45878) #### Description Adds automatic Security Identifier (SID) resolution to the Windows Event Log Receiver. This enhancement resolves Windows SIDs to human-readable user and group names using the Windows LSA API, making Windows event logs significantly more usable for security operations. #### Link to tracking issue Fixes open-telemetry#45875 #### Testing Comprehensive unit tests added covering: - Cache operations (Get, Set, Close) - Well-known SID resolution (45+ built-in mappings) - Invalid SID handling - SID field detection logic - End-to-end enrichment scenarios - Platform-specific builds (Windows/non-Windows) #### Documentation Added comprehensive documentation to README.md, including: - Complete configuration options and defaults - Before/after examples with real SID resolution - Performance characteristics and benchmarks - Troubleshooting guide - Well-known SIDs reference - Configuration example files in testdata/ **Documentation Files:** - `receiver/windowseventlogreceiver/README.md` - Updated with SID information - `receiver/windowseventlogreceiver/testdata/README.md` - Complete setup guide - `receiver/windowseventlogreceiver/testdata/collector-config-example.yaml` - Example config
dpaasman00
pushed a commit
to observIQ/opentelemetry-collector-contrib
that referenced
this pull request
Mar 10, 2026
…#45878) Adds automatic Security Identifier (SID) resolution to the Windows Event Log Receiver. This enhancement resolves Windows SIDs to human-readable user and group names using the Windows LSA API, making Windows event logs significantly more usable for security operations. Fixes open-telemetry#45875 Comprehensive unit tests added covering: - Cache operations (Get, Set, Close) - Well-known SID resolution (45+ built-in mappings) - Invalid SID handling - SID field detection logic - End-to-end enrichment scenarios - Platform-specific builds (Windows/non-Windows) Added comprehensive documentation to README.md, including: - Complete configuration options and defaults - Before/after examples with real SID resolution - Performance characteristics and benchmarks - Troubleshooting guide - Well-known SIDs reference - Configuration example files in testdata/ **Documentation Files:** - `receiver/windowseventlogreceiver/README.md` - Updated with SID information - `receiver/windowseventlogreceiver/testdata/README.md` - Complete setup guide - `receiver/windowseventlogreceiver/testdata/collector-config-example.yaml` - Example config
avleentwilio
pushed a commit
to avleentwilio/opentelemetry-collector-contrib
that referenced
this pull request
Apr 1, 2026
…#45878) #### Description Adds automatic Security Identifier (SID) resolution to the Windows Event Log Receiver. This enhancement resolves Windows SIDs to human-readable user and group names using the Windows LSA API, making Windows event logs significantly more usable for security operations. #### Link to tracking issue Fixes open-telemetry#45875 #### Testing Comprehensive unit tests added covering: - Cache operations (Get, Set, Close) - Well-known SID resolution (45+ built-in mappings) - Invalid SID handling - SID field detection logic - End-to-end enrichment scenarios - Platform-specific builds (Windows/non-Windows) #### Documentation Added comprehensive documentation to README.md, including: - Complete configuration options and defaults - Before/after examples with real SID resolution - Performance characteristics and benchmarks - Troubleshooting guide - Well-known SIDs reference - Configuration example files in testdata/ **Documentation Files:** - `receiver/windowseventlogreceiver/README.md` - Updated with SID information - `receiver/windowseventlogreceiver/testdata/README.md` - Complete setup guide - `receiver/windowseventlogreceiver/testdata/collector-config-example.yaml` - Example config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds automatic Security Identifier (SID) resolution to the Windows Event Log Receiver. This enhancement resolves Windows SIDs to human-readable user and group names using the Windows LSA API, making Windows event logs significantly more usable for security operations.
Link to tracking issue
Fixes #45875
Testing
Comprehensive unit tests added covering:
Documentation
Added comprehensive documentation to README.md, including:
Documentation Files:
receiver/windowseventlogreceiver/README.md- Updated with SID informationreceiver/windowseventlogreceiver/testdata/README.md- Complete setup guidereceiver/windowseventlogreceiver/testdata/collector-config-example.yaml- Example config