ConsumeWindowsEventLog 2.0.0

Bundle
org.apache.nifi | nifi-windows-event-log-nar
Description
Registers a Windows Event Log Subscribe Callback to receive FlowFiles from Events on Windows. These can be filtered via channel and XPath.
Tags
event, ingest, windows
Input Requirement
FORBIDDEN
Supports Sensitive Dynamic Properties
false
  • Additional Details for ConsumeWindowsEventLog 2.0.0

    ConsumeWindowsEventLog

    Description:

    This processor is used listen to Windows Event Log events. It has a success output that will contain an XML representation of the event.

    Output XML Example:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <System>
            <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}"
                      EventSourceName="Service Control Manager"/>
            <EventID Qualifiers="16384">7036</EventID>
            <Version>0</Version>
            <Level>4</Level>
            <Task>0</Task>
            <Opcode>0</Opcode>
            <Keywords>0x8080000000000000</Keywords>
            <TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
            <EventRecordID>34153</EventRecordID>
            <Correlation/>
            <Execution ProcessID="684" ThreadID="3504"/>
            <Channel>System</Channel>
            <Computer>WIN-O05CNUCF16M.hdf.local</Computer>
            <Security/>
        </System>
        <EventData>
            <Data Name="param1">Smart Card Device Enumeration Service</Data>
            <Data Name="param2">running</Data>
            <Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
        </EventData>
    </Event>
    

    Permissions:

    Your Windows User must have permissions to read the given Event Log. This can be achieved through the following steps ( Windows 2008 and newer):

    1. Open a command prompt as your user. Enter the command: wmic useraccount get name,sid
    2. Note the SID of the user or group you’d like to allow to read a given channel
    3. Open a command prompt as Administrator. enter the command: wevtutil gl CHANNEL_NAME
    4. Take the channelAccess Attribute starting with O:BAG, copy it into a text editor, and add ( A;;0x1;;;YOUR_SID_FROM_BEFORE) to the end
    5. Take that text and run the following command in your admin prompt (see below for example): wevtutil sl CHANNEL_NAME /ca:TEXT_FROM_PREVIOUS_STEP

    The following command is the exact one I used to add read access to the Security log for my user. (You can see all the possible channels with: wevtutil el):

    wevtutil sl Security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3589080292-3448680409-2446571098-1001)
    

    These steps were adapted from this guide.

Properties
Relationships
Name Description
success Relationship for successfully consumed events.
Writes Attributes
Name Description
mime.type Will set a MIME type value of application/xml.