Description
Component(s)
receiver/windowseventlog
Is your feature request related to a problem? Please describe.
There are additional fields on the windows event XML schema that are useful to users, but we don't collect into the structured output of the receiver. It would be good to capture some of these fields.
Describe the solution you'd like
Add the following fields to the parsed output of the windows event log receiver:
Security(see: SystemPropertiesType Schema)
a. This field may contain the UserID of the user that triggered the action, which would be useful for auditing purposesExecution(see: SystemPropertiesType Schema)
a. This field gives useful information about the process that triggered the event log when present.
Additionally, it'd be useful to scrape the UserData field. Unfortunately, the schema here is more free-form, which makes it more difficult to map to the key:value structure we have.
One idea could be some recursive structure like:
{
tag: string
attributes: map[string]string
charData: string
children: []XmlElement
}: XMLElement
A structure like this could properly represent arbitrary XML, I believe.
Another idea would be to just keep the original XML for this field and store it on the log as unparsed text.
I have also considered adding the xml namespaces (the xmlns attribute on the root tag) as an additional field, but it seems like this tag is always the same and doesn't seem to really add any information to a parsed log.
Describe alternatives you've considered
One alternative idea would be to use the raw flag, in addition to some XML parsing step. Currently, I don't think there's an XML parser operator, or a converter for OTTL, and I think that could lead to an "unwieldy" representation of the log.
Additional context
No response