[receiver/windowseventlog] Add SID resolution feature (open-telemetry#45878)

#### Description
Adds automatic Security Identifier (SID) resolution to the Windows Event
Log Receiver. This enhancement resolves Windows SIDs to human-readable
user and group names using the Windows LSA API, making Windows event
logs significantly more usable for security operations.

#### Link to tracking issue
Fixes open-telemetry#45875

#### Testing
 Comprehensive unit tests added covering:
  - Cache operations (Get, Set, Close)
  - Well-known SID resolution (45+ built-in mappings)
  - Invalid SID handling
  - SID field detection logic
  - End-to-end enrichment scenarios
  - Platform-specific builds (Windows/non-Windows)

#### Documentation
Added comprehensive documentation to README.md, including:
  - Complete configuration options and defaults
  - Before/after examples with real SID resolution
  - Performance characteristics and benchmarks
  - Troubleshooting guide
  - Well-known SIDs reference
  - Configuration example files in testdata/
 
 **Documentation Files:**
- `receiver/windowseventlogreceiver/README.md` - Updated with SID
information
- `receiver/windowseventlogreceiver/testdata/README.md` - Complete setup
guide
-
`receiver/windowseventlogreceiver/testdata/collector-config-example.yaml`
- Example config

Author: postnati

.chloggen/windowseventlog-sid-resolution.yaml

@@ -0,0 +1,30 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: receiver/windowseventlog
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add SID resolution feature to automatically resolve Windows Security Identifiers to user and group names
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [45875]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Added new `resolve_sids` configuration option with configurable cache size and TTL.
+  When enabled, Windows Security Identifiers (SIDs) in event logs are automatically resolved to human-readable names using the Windows LSA API.
+  Includes support for well-known SIDs, domain users and groups, and high-performance LRU caching for improved throughput.
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

receiver/windowseventlogreceiver/README.md

@@ -40,6 +40,10 @@ Tails and parses logs from windows event log API using the [opentelemetry-log-co
 | `retry_on_failure.max_elapsed_time` | `5 minutes`  | Maximum amount of time (including retries) spent trying to send a logs batch to a downstream consumer. Once this value is reached, the data is discarded. Retrying never stops if set to `0`.                                                  |
 | `remote`                              | object       | Remote configuration for connecting to a remote machine to collect logs. Includes server (the address of the remote server), with username, password, and optional domain.                                                    |
 | `query`                             | none         | XML query used for filtering events. See [Query Schema](https://learn.microsoft.com/en-us/windows/win32/wes/queryschema-schema)                                                                                                                |
+| `resolve_sids`                      | object       | Configuration for resolving Windows Security Identifiers (SIDs) to user/group names. See [SID Resolution](#sid-resolution) section below.                                                                                     |
+| `resolve_sids.enabled`              | `false`      | If `true`, automatically resolves SIDs to user and group names in Windows event logs.                                                                                                                                          |
+| `resolve_sids.cache_size`           | `10000`      | Maximum number of SID-to-name mappings to cache in memory. Older entries are evicted using LRU policy.                                                                                                                         |
+| `resolve_sids.cache_ttl`            | `15m`        | Time-to-live for cached SID mappings. After this duration, SIDs will be re-resolved from the Windows LSA API.                                                                                                                  |
 
 ### Operators
 
@@ -134,3 +138,109 @@ receivers:
         </Query>
       </QueryList>
 ```
+
+#### SID Resolution
+
+Windows Event Logs often contain Security Identifiers (SIDs) instead of readable user or group names. The SID resolution feature automatically resolves these SIDs to human-readable names using the Windows Local Security Authority (LSA) API.
+
+**Key Features:**
+- Automatically enriches Windows events with resolved user and group names
+- High-performance LRU cache with configurable size and TTL
+- Resolves well-known SIDs (SYSTEM, LOCAL_SERVICE, etc.) instantly from static map
+- Works with domain-joined machines to resolve domain users and groups
+- Non-breaking: original SID values are preserved alongside resolved names
+
+**Configuration:**
+```yaml
+receivers:
+  windowseventlog:
+    channel: Security
+    resolve_sids:
+      enabled: true        # Enable SID resolution
+      cache_size: 10000    # Cache up to 10,000 SID-to-name mappings
+      cache_ttl: 15m       # Re-resolve SIDs after 15 minutes
+```
+
+**Without SID Resolution:**
+```json
+{
+  "security": {
+    "user_id": "S-1-5-21-3623811015-3361044348-30300820-1013"
+  },
+  "event_data": {
+    "SubjectUserSid": "S-1-5-18",
+    "TargetUserSid": "S-1-5-21-3623811015-3361044348-30300820-1013"
+  }
+}
+```
+
+**With SID Resolution:**
+```json
+{
+  "security": {
+    "user_id": "S-1-5-21-3623811015-3361044348-30300820-1013",
+    "user_name": "ACME\\jsmith",
+    "domain": "ACME",
+    "account": "jsmith",
+    "account_type": "User"
+  },
+  "event_data": {
+    "SubjectUserSid": "S-1-5-18",
+    "SubjectUserSid_Resolved": "NT AUTHORITY\\SYSTEM",
+    "SubjectUserSid_Domain": "NT AUTHORITY",
+    "SubjectUserSid_Account": "SYSTEM",
+    "SubjectUserSid_Type": "WellKnownGroup",
+    "TargetUserSid": "S-1-5-21-3623811015-3361044348-30300820-1013",
+    "TargetUserSid_Resolved": "ACME\\jsmith",
+    "TargetUserSid_Domain": "ACME",
+    "TargetUserSid_Account": "jsmith",
+    "TargetUserSid_Type": "User"
+  }
+}
+```
+
+**Performance Characteristics:**
+
+- Cache hit latency: < 1 microsecond
+- Cache miss latency: < 5 milliseconds (Windows LSA API call)
+- Expected cache hit rate: > 99% in steady state
+- Memory usage: ~100 bytes per cached entry
+- Throughput impact: < 5% with cache enabled
+
+**Limitations:**
+
+- Only resolves SIDs for the local system or the domain the Windows machine is joined to
+- Cannot resolve SIDs from trusted domains (requires LDAP extension)
+- Remote collection: SID resolution only works when the collector runs on Windows
+- Cache lifecycle: Cache is created at receiver start and closed at shutdown
+
+**Troubleshooting:**
+
+If SID resolution is not working as expected:
+
+1. **Check logs for initialization message:**
+   ```
+   INFO SID resolution enabled {"cache_size": 10000, "cache_ttl": "15m0s"}
+   ```
+
+2. **Verify the collector is running on Windows:**
+   SID resolution only works on Windows operating systems.
+
+3. **Check for resolution errors:**
+   Failed SID lookups are logged at DEBUG level:
+   ```
+   DEBUG Failed to resolve SID {"sid": "S-1-5-21-...", "error": "..."}
+   ```
+
+4. **Verify SID format:**
+   Only fields ending with "Sid" or named "UserID" are automatically resolved.
+   Custom SID fields may not be detected.
+
+**Well-Known SIDs:**
+The following SIDs are resolved instantly from a static map (no API call required):
+- `S-1-5-18` - NT AUTHORITY\SYSTEM
+- `S-1-5-19` - NT AUTHORITY\LOCAL SERVICE
+- `S-1-5-20` - NT AUTHORITY\NETWORK SERVICE
+- `S-1-5-32-544` - BUILTIN\Administrators
+- `S-1-1-0` - Everyone
+- And 40+ more common Windows SIDs

receiver/windowseventlogreceiver/config.schema.yaml

@@ -1,5 +1,25 @@
+$defs:
+  resolve_si_ds_config:
+    description: ResolveSIDsConfig contains configuration for SID resolution
+    type: object
+    properties:
+      cache_size:
+        description: 'CacheSize is the maximum number of SIDs to cache (LRU eviction) Default: 10000'
+        type: integer
+        x-customType: uint
+      cache_ttl:
+        description: 'CacheTTL is how long cache entries remain valid Default: 15m'
+        type: string
+        format: duration
+      enabled:
+        description: Enabled controls whether SID resolution is active
+        type: boolean
 description: WindowsLogConfig defines configuration for the windowseventlog receiver
 type: object
+properties:
+  resolve_sids:
+    description: ResolveSIDs contains configuration for SID-to-username resolution
+    $ref: resolve_si_ds_config
 allOf:
   - $ref: github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/input/windows.config
   - $ref: github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/adapter.base_config

receiver/windowseventlogreceiver/factory_test.go

@@ -6,9 +6,11 @@ package windowseventlogreceiver // import "github.com/open-telemetry/opentelemet
 import (
 	"runtime"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/confmap"
 	"go.opentelemetry.io/collector/consumer/consumertest"
 	"go.opentelemetry.io/collector/receiver/receivertest"
 
@@ -28,6 +30,38 @@ func TestCreateDefaultConfig(t *testing.T) {
 	require.NotNil(t, cfg, "failed to create default config")
 }
 
+func TestNegativeCacheSizeRejected(t *testing.T) {
+	factory := NewFactory()
+	cfg := factory.CreateDefaultConfig()
+
+	cm := confmap.NewFromStringMap(map[string]any{
+		"resolve_sids": map[string]any{
+			"cache_size": -1,
+		},
+	})
+	err := cm.Unmarshal(cfg)
+	require.Error(t, err)
+	require.ErrorContains(t, err, "cache_size")
+}
+
+func TestNegativeCacheTTLRejected(t *testing.T) {
+	cfg := &ResolveSIDsConfig{
+		Enabled:  true,
+		CacheTTL: -1 * time.Second,
+	}
+	err := cfg.Validate()
+	require.Error(t, err)
+	require.ErrorContains(t, err, "cache_ttl must not be negative")
+}
+
+func TestZeroCacheTTLAccepted(t *testing.T) {
+	cfg := &ResolveSIDsConfig{
+		Enabled:  true,
+		CacheTTL: 0,
+	}
+	require.NoError(t, cfg.Validate())
+}
+
 func TestCreateAndShutdown(t *testing.T) {
 	factory := NewFactory()
 	defaultConfig := factory.CreateDefaultConfig()

receiver/windowseventlogreceiver/go.mod

@@ -17,6 +17,7 @@ require (
 )
 
 require (
+	github.com/hashicorp/golang-lru/v2 v2.0.7
 	go.opentelemetry.io/collector/component/componenttest v0.147.1-0.20260306010043-a44ab254898b
 	go.opentelemetry.io/collector/consumer/consumertest v0.147.1-0.20260306010043-a44ab254898b
 	go.opentelemetry.io/collector/pdata v1.53.1-0.20260306010043-a44ab254898b

receiver/windowseventlogreceiver/go.sum

@@ -0,0 +1,34 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Package sidcache provides a high-performance LRU cache for Windows SID-to-name resolution.
+// It uses the Windows Local Security Authority (LSA) API to resolve Security Identifiers (SIDs)
+// to human-readable user and group names, with support for well-known SIDs and TTL-based expiration.
+package sidcache // import "github.com/open-telemetry/opentelemetry-collector-contrib/receiver/windowseventlogreceiver/internal/sidcache"
+
+import (
+	"regexp"
+	"time"
+)
+
+// Default configuration values
+const (
+	DefaultCacheSize = 10000
+	DefaultCacheTTL  = 15 * time.Minute
+)
+
+// sidPattern validates SID format: S-1-<revision>-<authority>-<sub-authorities>
+var sidPattern = regexp.MustCompile(`^S-1-\d+(-\d+)+$`)
+
+// isSIDFormat checks if a string matches the SID format
+func isSIDFormat(sid string) bool {
+	return sidPattern.MatchString(sid)
+}
+
+// IsSIDField checks if a field name likely contains a SID
+// Used by the receiver to identify which fields need resolution
+func IsSIDField(fieldName string) bool {
+	// Common SID field patterns in Windows events
+	return len(fieldName) >= 3 && (fieldName[len(fieldName)-3:] == "Sid" || // ends with "Sid"
+		fieldName == "UserID") // exact match for security.user_id
+}

receiver/windowseventlogreceiver/internal/sidcache/cache.go

@@ -0,0 +1,14 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !windows
+
+package sidcache // import "github.com/open-telemetry/opentelemetry-collector-contrib/receiver/windowseventlogreceiver/internal/sidcache"
+
+import "errors"
+
+// New returns an error on non-Windows platforms since SID resolution
+// requires the Windows Local Security Authority API.
+func New(_ Config) (Cache, error) {
+	return nil, errors.New("SID cache is only supported on Windows")
+}

receiver/windowseventlogreceiver/internal/sidcache/cache_other.go

@@ -0,0 +1,60 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package sidcache
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsSIDField(t *testing.T) {
+	tests := []struct {
+		fieldName string
+		expect    bool
+	}{
+		{"SubjectUserSid", true},
+		{"TargetUserSid", true},
+		{"UserSid", true},
+		{"Sid", true},
+		{"UserID", true},
+		{"UserName", false},
+		{"EventID", false},
+		{"Si", false},
+		{"", false},
+		{"AccountName", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.fieldName, func(t *testing.T) {
+			result := IsSIDField(tt.fieldName)
+			require.Equal(t, tt.expect, result)
+		})
+	}
+}
+
+func TestIsSIDFormat(t *testing.T) {
+	tests := []struct {
+		sid    string
+		expect bool
+	}{
+		{"S-1-5-18", true},
+		{"S-1-5-32-544", true},
+		{"S-1-5-21-3623811015-3361044348-30300820-1013", true},
+		{"S-1-0-0", true},
+		{"", false},
+		{"S-1", false},
+		{"S-1-5", false},
+		{"X-1-5-18", false},
+		{"S-X-5-18", false},
+		{"not-a-sid", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.sid, func(t *testing.T) {
+			result := isSIDFormat(tt.sid)
+			require.Equal(t, tt.expect, result)
+		})
+	}
+}