Issue with remote event subscription #70
Description
Hi,
I'm trying to write a config that queries a remote server for Windows Events. My config looks like this:
<source>
@type windows_eventlog2
@id windows_remote
@log_level trace
read_existing_events false
read_interval 2
tag winevt.remote
rate_limit 200
<storage>
@type local
persistent true
path C:\opt\td-agent\winevt-remote.pos
</storage>
<subscribe>
channels ["System"]
read_existing_events false
read_all_channels true
remote_server web-01.<redacted>
remote_domain <redacted>
remote_username Administrator
remote_password <redacted>
</subscribe>
</source>
<match winevt.remote>
@type stdout
</match>
And it seems as if no remote events are ever fetched. Instead, it seems to be getting local events for some reason, as per the following output from running this locally (the dc is the local machine running this in my testing environment):
2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: starting fluentd-1.11.2 pid=5592 ruby="2.7.1"
2020-11-09 18:04:47 +0000 [info]: fluent/log.rb:327:info: spawn command to main: cmdline=["C:/opt/td-agent/bin/ruby.exe", "-Eascii-8bit:ascii-8bit", "C:/opt/td-agent/bin/fluentd", "-c", "etc\\td-agent\\td-agent.conf", "-v", "--under-supervisor"]
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding match pattern="winevt.remote" type="stdout"
2020-11-09 18:04:55 +0000 [info]: fluent/log.rb:327:info: adding source type="windows_eventlog2"
2020-11-09 18:04:57 +0000 [debug]: #0 fluent/log.rb:306:debug: No fluent logger for internal event
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_server' in <subscribe>
channels ["System"]
read_existing_events false
remote_server web-01.<redacted>
remote_domain <redacted>
remote_username Administrator
remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_domain' in <subscribe>
channels ["System"]
read_existing_events false
remote_server web-01.<redacted>
remote_domain <redacted>
remote_username Administrator
remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_username' in <subscribe>
channels ["System"]
read_existing_events false
remote_server web-01.<redacted>
remote_domain <redacted>
remote_username Administrator
remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [warn]: fluent/log.rb:348:warn: parameter 'remote_password' in <subscribe>
channels ["System"]
read_existing_events false
remote_server web-01.<redacted>
remote_domain <redacted>
remote_username Administrator
remote_password <redacted>
</subscribe> is not used.
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: starting fluentd worker pid=6612 ppid=5592 worker=0
2020-11-09 18:04:57 +0000 [info]: #0 fluent/log.rb:327:info: fluentd worker is now running worker=0
2020-11-09 18:05:09.089322800 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:06.614689300","EventRecordID":"65701","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the stopped state.","EventData":["Print Spooler","stopped","?"]}
2020-11-09 18:05:09.094874500 +0000 winevt.remote: {"ProviderName":"Service Control Manager","ProviderGUID":"","EventID":"1073748860","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","TimeCreated":"2020/11/09 18:05:07.937694400","EventRecordID":"65702","ActivityID":"","RelatedActivityID":"","ProcessID":"600","ThreadID":"7648","Channel":"System","Computer":"DC.<redacted>","UserID":"","Version":"0","Description":"The Print Spooler service entered the running state.","EventData":["Print Spooler","running","?"]}
Any advice as to how to proceed in troubleshooting this? I am not sure what those "parameter is not used" - maybe I have misconfigured something?