You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Yohann (JIRA)" <ji...@apache.org> on 2016/07/28 14:20:21 UTC
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be
able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397585#comment-15397585 ]
Yohann commented on NIFI-1502:
------------------------------
Do you plan to create a "ListenWindowsLog" processor?
So, Nifi would act as a "[Windows Event Collector (WEC) server|https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection]" with "[Source Initiated Subscription|https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973.aspx]".
This setup requiere an xml config file like this to select which events are collected and how often:
{code:xml}
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>SampleSISubscription</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Source Initiated Subscription Sample</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxItems>1</MaxItems>
<MaxLatencyTime>1000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="60000"/>
</PushSettings>
</Delivery>
<Expires>2018-01-01T00:00:00.000Z</Expires>
<Query>
<![CDATA[
<QueryList>
<Query Path="Application">
<Select>Event[System/EventID='999']</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>http</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>
{code}
This type of collector would benefit a lot to [Apache Metron|http://metron.incubator.apache.org/].
> FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
> ----------------------------------------------------------------------------
>
> Key: NIFI-1502
> URL: https://issues.apache.org/jira/browse/NIFI-1502
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Andre
> Fix For: 1.0.0
>
>
> While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type workloads, I suspect NiFi would be a great fit for data collections of business critical platforms running Windows.
> A good example of this type of workload would be ATMs running Windows 7 and even run Windows XP, or collection of Event Log error events on Windows platforms (including Azure).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)