Windows event logs are not collected in Insight, and I have rarely modified the configuration file.
integration_name: com.newrelic.windows.eventlog
instances:
- name: eventlog-system
command: system
- name: eventlog-application
command: application
@ECHO OFF
set logName=%1
set eventIds=%2
IF DEFINED eventIds (
powershell.exe -ExecutionPolicy Bypass -file "C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.ps1" -LogName %logName% -EventIds %eventIds%
powershell.exe -ExecutionPolicy Bypass -file "C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.ps1" -LogName %logName%
)
name: com.newrelic.windows.eventlog
protocol_version: 1
description: On-Host Integration for Windows Event Logs
commands:
application:
command:
- C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.bat
- Application
interval: 30
system:
command:
- C:\Program Files\New Relic\newrelic-infra\custom-integrations\infra-windows-logs.bat
- System
interval: 30
###
# The following command is required for testing:
#
#[System.Diagnostics.EventLog]::CreateEventSource("New Relic","Application")
###
###
# Parameters (a.k.a. Command Line Arguments)
# Usage: -LogName "LogName" -EventIds 4608:4609:4946
# -LogName The name of the event log to gather events from. Ex: System, Appication, etc. (Required)
# -EventIds An optional, colon delimited, list of event ids to gather.
###
param (
[string]$LogName=$(throw "-LogName is mandatory"),
[string]$EventIds
)
###
# Logic to handle getting new log entries by saving current date to file
# to use as -After argument of Get-Date in next pull. On first run we use current date.
# On subsequent runs it will use last date written to file.
#
# Uses LogName param to create timestamp for each LogName
###
$LAST_PULL_TIMESTAMP_FILE = "./last-pull-timestamp-$LogName.txt"
###
# If timestamp file exists, use it; otherwise,
# set timestamp to 15 minutes ago to pull some data on
# first run.
###
if (Test-Path $LAST_PULL_TIMESTAMP_FILE -PathType Leaf) {
$timestamp = Get-Content -Path $LAST_PULL_TIMESTAMP_FILE -Encoding String | Out-String
$timestamp = [DateTime] $timestamp.ToString()
} else{
$timestamp = (Get-Date).AddMinutes(-240)
}
###
# Write timestamp to file to pull on next run.
###
Set-Content -Path $LAST_PULL_TIMESTAMP_FILE -Value (Get-Date -Format o)
###
# Pull events using -After param with timestamp
###
$events = Get-EventLog -LogName $LogName -After $timestamp
###
# If event ids were given, filter to keep only the events having an id in our event id list.
###
if ($EventIds) {
$eventIdStrings = $EventIds.Split(":")
$eventIdNums = @()
foreach ($eventId in $eventIdStrings) {
$eventIdNums += [convert]::ToInt32($eventId)
}
# Iterate over the events and copy only those we want to keep into the filteredEvents.
$filteredEvents = @()
foreach ($event in $events) {
if (-Not ($eventIdNums -Contains $event.EventID)) {
continue
}
$filteredEvents += $event
}
$events = $filteredEvents
}
###
# Add required 'event_type' to objects from Get-EventLog.
# Add optional 'log_name' value to object.
###
$events.ForEach({
Add-Member -NotePropertyName 'event_type' -NotePropertyValue 'wineventlog' -InputObject $_
Add-Member -NotePropertyName 'log_name' -NotePropertyValue $LogName -InputObject $_
});
###
# Create hash table in required format for Infrastructure, populated
# with event object log data and pipe to ConvertTo-Json with
# -Compress argument required in order for Infrastructure to consume.
###
$payload = @{
name = "com.newrelic.windows.eventlog"
integration_version = "0.1.0"
protocol_version = 1
metrics = @($events)
inventory = @{}
events = @()
} | ConvertTo-Json -Compress
###
# Output json string created above with regex to normalize date strings
# post json string conversion. Alternatively, you could create a
# new -NotePropertyName with the proper date string and remove
# the original object property.
###
Write-Output ($payload -replace '"\\\/Date\((\d+)\)\\\/\"' ,'$1')