[receiver/windowseventlogreceiver]: add IncludeLogRecordOriginal to add log.record.original to attributes (open-telemetry#40367)

justinianvoss22 · web-flow · commit 02458435882a · 2025-06-09T15:34:23.000+02:00
#### Description - Create an opt-in boolean option in the config called `include_log_record_original`. - When true, the receive puts the log's raw XML value into a [general log identification attribute](https://opentelemetry.io/docs/specs/semconv/general/logs/): log.record.original. #### Link to tracking issue open-telemetry#40365 #### Documentation - Update README.md
diff --git a/.chloggen/add-boolean-to-add-log-record-original-to-attributes.yaml b/.chloggen/add-boolean-to-add-log-record-original-to-attributes.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: windowseventlogreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add a boolean option to include the `log.record.original` attribute of each event record.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [40365]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
diff --git a/pkg/stanza/go.mod b/pkg/stanza/go.mod
@@ -28,6 +28,7 @@ require (
 	go.opentelemetry.io/collector/receiver v1.33.1-0.20250605211604-c9aaed834963
 	go.opentelemetry.io/collector/receiver/receiverhelper v0.127.1-0.20250605211604-c9aaed834963
 	go.opentelemetry.io/collector/receiver/receivertest v0.127.1-0.20250605211604-c9aaed834963
+	go.opentelemetry.io/otel v1.36.0
 	go.opentelemetry.io/otel/metric v1.36.0
 	go.opentelemetry.io/otel/sdk/metric v1.36.0
 	go.opentelemetry.io/otel/trace v1.36.0
@@ -75,7 +76,6 @@ require (
 	go.opentelemetry.io/collector/pipeline v0.127.1-0.20250605211604-c9aaed834963 // indirect
 	go.opentelemetry.io/collector/receiver/xreceiver v0.127.1-0.20250605211604-c9aaed834963 // indirect
 	go.opentelemetry.io/contrib/bridges/otelzap v0.11.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/log v0.12.2 // indirect
 	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	golang.org/x/crypto v0.37.0 // indirect
diff --git a/pkg/stanza/operator/input/windows/config_all.go b/pkg/stanza/operator/input/windows/config_all.go
@@ -28,16 +28,17 @@ func NewConfigWithID(operatorID string) *Config {
 
 // Config is the configuration of a windows event log operator.
 type Config struct {
-	helper.InputConfig    `mapstructure:",squash"`
-	Channel               string        `mapstructure:"channel"`
-	MaxReads              int           `mapstructure:"max_reads,omitempty"`
-	StartAt               string        `mapstructure:"start_at,omitempty"`
-	PollInterval          time.Duration `mapstructure:"poll_interval,omitempty"`
-	Raw                   bool          `mapstructure:"raw,omitempty"`
-	SuppressRenderingInfo bool          `mapstructure:"suppress_rendering_info,omitempty"`
-	ExcludeProviders      []string      `mapstructure:"exclude_providers,omitempty"`
-	Remote                RemoteConfig  `mapstructure:"remote,omitempty"`
-	Query                 *string       `mapstructure:"query,omitempty"`
+	helper.InputConfig       `mapstructure:",squash"`
+	Channel                  string        `mapstructure:"channel"`
+	MaxReads                 int           `mapstructure:"max_reads,omitempty"`
+	StartAt                  string        `mapstructure:"start_at,omitempty"`
+	PollInterval             time.Duration `mapstructure:"poll_interval,omitempty"`
+	Raw                      bool          `mapstructure:"raw,omitempty"`
+	IncludeLogRecordOriginal bool          `mapstructure:"include_log_record_original,omitempty"`
+	SuppressRenderingInfo    bool          `mapstructure:"suppress_rendering_info,omitempty"`
+	ExcludeProviders         []string      `mapstructure:"exclude_providers,omitempty"`
+	Remote                   RemoteConfig  `mapstructure:"remote,omitempty"`
+	Query                    *string       `mapstructure:"query,omitempty"`
 }
 
 // RemoteConfig is the configuration for a remote server.
diff --git a/pkg/stanza/operator/input/windows/config_windows.go b/pkg/stanza/operator/input/windows/config_windows.go
@@ -46,17 +46,18 @@ func (c *Config) Build(set component.TelemetrySettings) (operator.Operator, erro
 	}
 
 	input := &Input{
-		InputOperator:    inputOperator,
-		buffer:           NewBuffer(),
-		channel:          c.Channel,
-		maxReads:         c.MaxReads,
-		currentMaxReads:  c.MaxReads,
-		startAt:          c.StartAt,
-		pollInterval:     c.PollInterval,
-		raw:              c.Raw,
-		excludeProviders: excludeProvidersSet(c.ExcludeProviders),
-		remote:           c.Remote,
-		query:            c.Query,
+		InputOperator:            inputOperator,
+		buffer:                   NewBuffer(),
+		channel:                  c.Channel,
+		maxReads:                 c.MaxReads,
+		currentMaxReads:          c.MaxReads,
+		startAt:                  c.StartAt,
+		pollInterval:             c.PollInterval,
+		raw:                      c.Raw,
+		includeLogRecordOriginal: c.IncludeLogRecordOriginal,
+		excludeProviders:         excludeProvidersSet(c.ExcludeProviders),
+		remote:                   c.Remote,
+		query:                    c.Query,
 	}
 	input.startRemoteSession = input.defaultStartRemoteSession
 
diff --git a/pkg/stanza/operator/input/windows/input.go b/pkg/stanza/operator/input/windows/input.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"go.opentelemetry.io/collector/component"
+	semconv "go.opentelemetry.io/otel/semconv/v1.27.0"
 	"go.uber.org/multierr"
 	"go.uber.org/zap"
 	"golang.org/x/sys/windows"
@@ -24,25 +25,26 @@ import (
 // Input is an operator that creates entries using the windows event log api.
 type Input struct {
 	helper.InputOperator
-	bookmark            Bookmark
-	buffer              *Buffer
-	channel             string
-	query               *string
-	maxReads            int
-	currentMaxReads     int
-	startAt             string
-	raw                 bool
-	excludeProviders    map[string]struct{}
-	pollInterval        time.Duration
-	persister           operator.Persister
-	publisherCache      publisherCache
-	cancel              context.CancelFunc
-	wg                  sync.WaitGroup
-	subscription        Subscription
-	remote              RemoteConfig
-	remoteSessionHandle windows.Handle
-	startRemoteSession  func() error
-	processEvent        func(context.Context, Event) error
+	bookmark                 Bookmark
+	buffer                   *Buffer
+	channel                  string
+	query                    *string
+	maxReads                 int
+	currentMaxReads          int
+	startAt                  string
+	raw                      bool
+	includeLogRecordOriginal bool
+	excludeProviders         map[string]struct{}
+	pollInterval             time.Duration
+	persister                operator.Persister
+	publisherCache           publisherCache
+	cancel                   context.CancelFunc
+	wg                       sync.WaitGroup
+	subscription             Subscription
+	remote                   RemoteConfig
+	remoteSessionHandle      windows.Handle
+	startRemoteSession       func() error
+	processEvent             func(context.Context, Event) error
 }
 
 // newInput creates a new Input operator.
@@ -327,7 +329,11 @@ func (i *Input) sendEvent(ctx context.Context, eventXML *EventXML) error {
 	e.Severity = parseSeverity(eventXML.RenderedLevel, eventXML.Level)
 
 	if i.remote.Server != "" {
-		e.Attributes["server.address"] = i.remote.Server
+		e.AddAttribute("server.address", i.remote.Server)
+	}
+
+	if i.includeLogRecordOriginal {
+		e.AddAttribute(string(semconv.LogRecordOriginalKey), eventXML.Original)
 	}
 
 	return i.Write(ctx, e)
diff --git a/pkg/stanza/operator/input/windows/input_test.go b/pkg/stanza/operator/input/windows/input_test.go
@@ -18,6 +18,8 @@ import (
 	"go.uber.org/zap/zaptest/observer"
 	"golang.org/x/sys/windows"
 
+	"github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/entry"
+	"github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/testutil"
 )
 
@@ -211,3 +213,134 @@ func TestInputRead_RPCInvalidBound(t *testing.T) {
 	require.Equal(t, 1, logs.Len())
 	assert.Contains(t, logs.All()[0].Message, "Encountered RPC_S_INVALID_BOUND")
 }
+
+// TestInputIncludeLogRecordOriginal tests that the log.record.original attribute is added when include_log_record_original is true
+func TestInputIncludeLogRecordOriginal(t *testing.T) {
+	input := newTestInput()
+	input.includeLogRecordOriginal = true
+	input.pollInterval = time.Second
+	input.buffer = NewBuffer() // Initialize buffer
+
+	// Create a mock event XML
+	eventXML := &EventXML{
+		Original: "<Event><System><Provider Name='TestProvider'/><EventID>1</EventID></System></Event>",
+		TimeCreated: TimeCreated{
+			SystemTime: "2024-01-01T00:00:00Z",
+		},
+	}
+
+	ctx := context.Background()
+	persister := testutil.NewMockPersister("")
+	fake := testutil.NewFakeOutput(t)
+	input.OutputOperators = []operator.Operator{fake}
+
+	err := input.Start(persister)
+	require.NoError(t, err)
+
+	err = input.sendEvent(ctx, eventXML)
+	require.NoError(t, err)
+
+	expectedEntry := &entry.Entry{
+		Timestamp: time.Date(2024, time.January, 1, 0, 0, 0, 0, time.UTC),
+		Body: map[string]any{
+			"channel":    "",
+			"computer":   "",
+			"event_data": map[string]any{},
+			"event_id": map[string]any{
+				"id":         uint32(0),
+				"qualifiers": uint16(0),
+			},
+			"keywords": []string(nil),
+			"level":    "",
+			"message":  "",
+			"opcode":   "",
+			"provider": map[string]any{
+				"event_source": "",
+				"guid":         "",
+				"name":         "",
+			},
+			"record_id":   uint64(0),
+			"system_time": "2024-01-01T00:00:00Z",
+			"task":        "",
+		},
+		Attributes: map[string]any{
+			"log.record.original": eventXML.Original,
+		},
+	}
+
+	select {
+	case actualEntry := <-fake.Received:
+		actualEntry.ObservedTimestamp = time.Time{}
+		assert.Equal(t, expectedEntry, actualEntry)
+	case <-time.After(time.Second):
+		require.FailNow(t, "Timed out waiting for entry")
+	}
+
+	err = input.Stop()
+	require.NoError(t, err)
+}
+
+// TestInputIncludeLogRecordOriginalFalse tests that the log.record.original attribute is not added when include_log_record_original is false
+func TestInputIncludeLogRecordOriginalFalse(t *testing.T) {
+	input := newTestInput()
+	input.includeLogRecordOriginal = false
+	input.pollInterval = time.Second
+	input.buffer = NewBuffer() // Initialize buffer
+
+	// Create a mock event XML
+	eventXML := &EventXML{
+		Original: "<Event><System><Provider Name='TestProvider'/><EventID>1</EventID></System></Event>",
+		TimeCreated: TimeCreated{
+			SystemTime: "2024-01-01T00:00:00Z",
+		},
+	}
+
+	ctx := context.Background()
+	persister := testutil.NewMockPersister("")
+	fake := testutil.NewFakeOutput(t)
+	input.OutputOperators = []operator.Operator{fake}
+
+	err := input.Start(persister)
+	require.NoError(t, err)
+
+	err = input.sendEvent(ctx, eventXML)
+	require.NoError(t, err)
+
+	expectedEntry := &entry.Entry{
+		Timestamp: time.Date(2024, time.January, 1, 0, 0, 0, 0, time.UTC),
+		Body: map[string]any{
+			"channel":    "",
+			"computer":   "",
+			"event_data": map[string]any{},
+			"event_id": map[string]any{
+				"id":         uint32(0),
+				"qualifiers": uint16(0),
+			},
+			"keywords": []string(nil),
+			"level":    "",
+			"message":  "",
+			"opcode":   "",
+			"provider": map[string]any{
+				"event_source": "",
+				"guid":         "",
+				"name":         "",
+			},
+			"record_id":   uint64(0),
+			"system_time": "2024-01-01T00:00:00Z",
+			"task":        "",
+		},
+		Attributes: nil,
+	}
+
+	// Verify that log.record.original attribute does not exist
+	select {
+	case actualEntry := <-fake.Received:
+		actualEntry.ObservedTimestamp = time.Time{}
+		assert.Equal(t, expectedEntry, actualEntry)
+	case <-time.After(time.Second):
+		require.FailNow(t, "Timed out waiting for entry")
+	}
+
+	err = input.Stop()
+	require.NoError(t, err)
+}
diff --git a/receiver/windowseventlogreceiver/README.md b/receiver/windowseventlogreceiver/README.md
@@ -28,6 +28,7 @@ Tails and parses logs from windows event log API using the [opentelemetry-log-co
 | `resource`                          | {}           | A map of `key: value` pairs to add to the entry's resource.                                                                                                                                                                                    |
 | `operators`                         | []           | An array of [operators](https://github.com/open-telemetry/opentelemetry-log-collection/blob/main/docs/operators/README.md#what-operators-are-available). See below for more details                                                            |
 | `raw` | false | If false, the body of emitted log records will contain a structured representation of the event. Otherwise, the body will be the original XML string. |
+| `include_log_record_original` | false | If false, no additional attributes are added. If true, `log.record.original` is added to the attributes, which stores the original XML string according to the configured `suppress_rendering_info` (see below). 
 | `suppress_rendering_info` | false | If false, [additional syscalls](https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage#remarks) may be made to retrieve detailed information about the event. Otherwise, some unresolved values may be present in the event. |
 | `exclude_providers`                 | []           | One or more event log providers to exclude from processing.                                                                                                                                                                                    |
 | `storage`                           | none         | The ID of a storage extension to be used to store bookmarks. Bookmarks allow the receiver to pick up where it left off in the case of a collector restart. If no storage extension is used, the receiver will manage bookmarks in memory only. |
