According to the documentation:
## Event fields to include as tags
## The values below are included by default.
## Globbing supported (e.g. "Level*" matches both "Level" and "LevelText")
# event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer"]
It should be possible to see the username and workstation name as Tags.
The event in the windows event log looks like this:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2024-09-23T08:57:42.4454660Z" />
<EventRecordID>1085332</EventRecordID>
<Correlation ActivityID="{758d10f2-092f-0002-6111-8d752f09db01}" />
<Execution ProcessID="1052" ThreadID="11984" />
<Channel>Security</Channel>
<Computer>RDS.ourdomain.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">my_account</Data>
<Data Name="TargetDomainName">ourdomain.local</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">LT-148</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">10.1.2.3</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
My config looks like this:
[[inputs.win_eventlog]]
only_first_line_of_message = true
timestamp_from_event = true
event_tags = ["Source", "EventID", "Level", "LevelText", "Task", "TaskText", "Opcode", "OpcodeText", "Keywords", "Channel", "Computer", "*WorkstationName*", "*TargetUserName*"]
from_beginning = true
xpath_query = '''
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level < 4)]]</Select>
</Query>
<Query Id="1" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID = 4624 or EventID = 4627 or EventID = 4634 or EventID = 4648 or EventID = 4672 or EventID = 4662 or EventID = 4768 or EventID = 4776 or EventID = 4769 or EventID = 5379)]]</Suppress>
</Query>
<Query Id="2" Path="System">
<Select Path="System">*[System[(Level < 4)]]</Select>
</Query>
</QueryList>
'''
The event is visible in Influx, but there’s only fields for Data_TargetUserName
and Data_WorkstationName
, no tags.
If there’s another way to group by these values, that’s also fine. Currently, it is not possible to use this value for a grouping, because it is empty as a tag: