Class: LogStash::Inputs::EventLog

Inherits:

Base

• Object
• Base
• LogStash::Inputs::EventLog

Defined in:

lib/logstash/inputs/eventlog.rb

Overview

This input will pull events from a msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log]. Note that Windows Event Logs are stored on disk in a binary format and are only accessible from the Win32 API. This means Losgtash needs to be running as an agent on Windows servers where you wish to collect logs from, and will not be accesible across the network.

To collect Events from the System Event Log, use a config like:

source,ruby

input {

eventlog {
  type  => 'Win32-EventLog'
  logfile  => 'System'
}

}

Instance Method Summary

• #register ⇒ Object
• #run(queue) ⇒ Object

Instance Method Details

#register ⇒ Object

# File 'lib/logstash/inputs/eventlog.rb', line 36

def register

  # wrap specified logfiles in suitable OR statements
  @hostname = Socket.gethostname
  @logger.info("Opening eventlog #{@logfile}")

  begin
    @eventlog = Win32::EventLog.open(@logfile)
  rescue SystemCallError => e
    if e.errno == 1314 # ERROR_PRIVILEGE_NOT_HELD
      @logger.fatal("No privilege held to open logfile", :logfile => @logfile)
    end
    raise
  end
end

#run(queue) ⇒ Object

# File 'lib/logstash/inputs/eventlog.rb', line 53

def run(queue)

  @logger.debug("Tailing Windows Event Log '#{@logfile}'")

  old_total = @eventlog.total_records()
  flags     = Win32::EventLog::FORWARDS_READ | Win32::EventLog::SEEK_READ
  rec_num   = @eventlog.read_last_event.record_number

  while !stop?
    new_total = @eventlog.total_records()
    if new_total != old_total
      rec_num = @eventlog.oldest_record_number() if @eventlog.full?
      @eventlog.read(flags, rec_num).each { |log| e = process(log); decorate(e); queue << e }
      old_total = new_total
      rec_num   = @eventlog.read_last_event.record_number + 1
    end
    Stud.stoppable_sleep(@interval/1000.0) { stop? }
  end
end