The nri-windows-event-logs from newrelic

allow port and customize event

I was able to push event logs to new relic from my test machine. Which port I need to open in firewall and how can I customize events?

Can we get a syntax example of how to set up eventid filters?

I see from the files that there is an an option to pass in a colon separated list of eventid's, but none of the examples show what that would look like on the yml files, would it just be like this?

name: com.newrelic.windows.eventlog
protocol_version: 1
description: On-Host Integration for Windows Event Logs

commands:
application:
command:
- .\infra-windows-logs.bat
- Application
- 1234:5678:9999
interval: 30

Windows Event Log Collection Issues

Hello,
I tried to collect event log of windowsOS using nri-windows-event-logs, but i have a problem. Can you help me?

Windows event logs are not collected in Insight, and I have rarely modified the configuration file.

Windows OS: Windows Server 2008 R2
NewRelic Infra Agent Version: 1.11.21

C:\Program Files\New Relic\newrelic-infra\integrations.d\infra-windows-logs-config.yml

integration_name: com.newrelic.windows.eventlog

instances:
  - name: eventlog-system
    command: system
  - name: eventlog-application
    command: application

C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.bat

@ECHO OFF
set logName=%1
set eventIds=%2

IF DEFINED eventIds (
    powershell.exe -ExecutionPolicy Bypass -file "C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.ps1" -LogName %logName% -EventIds %eventIds%
    powershell.exe -ExecutionPolicy Bypass -file "C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.ps1" -LogName %logName%
)

C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs-definition.yml

name: com.newrelic.windows.eventlog
protocol_version: 1
description: On-Host Integration for Windows Event Logs

commands:
  application:
    command:
      - C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.bat
      - Application
    interval: 30
  system:
    command:
      - C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.bat
      - System
    interval: 30

C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.ps1

###
# The following command is required for testing:
#
#[System.Diagnostics.EventLog]::CreateEventSource("New Relic","Application")
###


###
# Parameters (a.k.a. Command Line Arguments)
# Usage: -LogName "LogName" -EventIds 4608:4609:4946
# -LogName      The name of the event log to gather events from.  Ex: System, Appication, etc. (Required)
# -EventIds     An optional, colon delimited, list of event ids to gather.
###

param (
    [string]$LogName=$(throw "-LogName is mandatory"),
    [string]$EventIds
)

###
# Logic to handle getting new log entries by saving current date to file
# to use as -After argument of Get-Date in next pull. On first run we use current date.
# On subsequent runs it will use last date written to file.
#
# Uses LogName param to create timestamp for each LogName
###

$LAST_PULL_TIMESTAMP_FILE = "./last-pull-timestamp-$LogName.txt"


###
# If timestamp file exists, use it; otherwise,
# set timestamp to 15 minutes ago to pull some data on
# first run.
###

if (Test-Path $LAST_PULL_TIMESTAMP_FILE -PathType Leaf) {

    $timestamp = Get-Content -Path $LAST_PULL_TIMESTAMP_FILE -Encoding String | Out-String
    $timestamp = [DateTime] $timestamp.ToString()

} else{

    $timestamp = (Get-Date).AddMinutes(-240)

}

###
# Write timestamp to file to pull on next run.
###
Set-Content -Path $LAST_PULL_TIMESTAMP_FILE -Value (Get-Date -Format o)

###
# Pull events using -After param with timestamp
###
$events = Get-EventLog -LogName $LogName -After $timestamp

###
# If event ids were given, filter to keep only the events having an id in our event id list.
###
if ($EventIds) {
    $eventIdStrings = $EventIds.Split(":")
    $eventIdNums = @()
    foreach ($eventId in $eventIdStrings) {
        $eventIdNums += [convert]::ToInt32($eventId)
    }

    # Iterate over the events and copy only those we want to keep into the filteredEvents.
    $filteredEvents = @()
    foreach ($event in $events) {
        if (-Not ($eventIdNums -Contains $event.EventID)) {
            continue
        }
        $filteredEvents += $event
    }
    $events = $filteredEvents
}

###
# Add required 'event_type' to objects from Get-EventLog.
# Add optional 'log_name' value to object.
###


$events.ForEach({
    Add-Member -NotePropertyName 'event_type' -NotePropertyValue 'wineventlog' -InputObject $_
    Add-Member -NotePropertyName 'log_name' -NotePropertyValue $LogName -InputObject $_

});



###
# Create hash table in required format for Infrastructure, populated
# with event object log data and pipe to ConvertTo-Json with
# -Compress argument required in order for Infrastructure to consume.
###
$payload = @{
    name = "com.newrelic.windows.eventlog"
    integration_version = "0.1.0"
    protocol_version = 1
    metrics = @($events)
    inventory = @{}
    events = @()
} | ConvertTo-Json -Compress


###
# Output json string created above with regex to normalize date strings
# post json string conversion. Alternatively, you could create a
# new -NotePropertyName with the proper date string and remove
# the original object property. 
###
Write-Output ($payload -replace '"\\\/Date\((\d+)\)\\\/\"' ,'$1')

Thank you

Apart from Application and System we are not getting any other Event Log Details

I'm trying to get Event IDs monitored for DFS Replication. Apart from Application and Security windows logs, I'm not getting any.

Errors from Log:
time="2020-12-10T04:03:23-06:00" level=error msg="Integration command failed" error="exit status 1" instance=eventlog-dfsreplication integration=com.newrelic.windows.eventlog prefix=integration/com.newrelic.windows.eventlog stderr="'C:\Program' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n" working-dir="C:\Program Files\New Relic\newrelic-infra\custom-integrations"

Can you let me know how to get this issue fixed?

Modify script to change "EntryType" to an enumerated list.

Currently, the EntryType is imported into New Relic as a numeric value, but we would like to see this as an enumerated list. Perhaps we can break this into three attributes for EntryType, Code/Numeric Value and Message?

IE: Taken from here

1 | Error | An error event. This indicates a significant problem the user should know about; usually a loss of functionality or data.
16 | FailureAudit | A failure audit event. This indicates a security event that occurs when an audited access attempt fails; for example, a failed attempt to open a file.
4 | Information | An information event. This indicates a significant, successful operation.
8 | SuccessAudit | A success audit event. This indicates a security event that occurs when an audited access attempt is successful; for example, logging on successfully.
2 | Warning | A warning event. This indicates a problem that is not immediately significant, but that may signify conditions that could cause future problems.

Or something similar.

newrelic / nri-windows-event-logs Goto Github PK

nri-windows-event-logs's Introduction

Deprecation notice

Windows Event Log Integration

Disclaimer

Instructions

nri-windows-event-logs's People

Contributors

Stargazers

Watchers

Forkers

nri-windows-event-logs's Issues

allow port and customize event

Can we get a syntax example of how to set up eventid filters?

Windows Event Log Collection Issues

Apart from Application and System we are not getting any other Event Log Details

Modify script to change "EntryType" to an enumerated list.

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent