# Master configuration template file for google-fluentd on windows. @include 'config.d/**/*.conf' # Transform the winevtlog output to match what the google_cloud plugin expects. @type record_transformer # Allow Ruby expressions. enable_ruby # Rename description to message. message ${record['Description']} severity ${case record['Level']; when '0' then 'DEFAULT'; when '1' then 'CRITICAL'; when '2' then 'ERROR'; when '3' then 'WARNING'; when '4' then 'INFO'; when '5' then 'DEBUG'; else 'INFO'; end} # Parse the time the log was generated into a format 'google_cloud' # can understand. time ${t = Time.parse(record['TimeCreated']).strftime("%FT%T.%NZ")} # Add a unique insertId to each log entry that doesn't already have it. # This helps guarantee the order and prevent log duplication. @type add_insert_ids @type google_cloud buffer_type file buffer_path /var/log/google-fluentd/buffers # Set the chunk limit conservatively to avoid exceeding the recommended # chunk size of 5MB per write request. buffer_chunk_limit 512KB flush_interval 5s # Enforce some limit on the number of retries. disable_retry_limit false # After 3 retries, a given chunk will be discarded. retry_limit 3 # Wait 10 seconds before the first retry. The wait interval will be doubled on # each following retry (20s, 40s...) until it hits the retry limit. retry_wait 10 # Never wait longer than 5 minutes between retries. If the wait interval # reaches this limit, the exponentiation stops. # Given the default config, this limit should never be reached, but if # retry_limit and retry_wait are customized, this limit might take effect. max_retry_wait 300 # Use multiple threads for processing. num_threads 8 # Use the gRPC transport. use_grpc true # If a request is a mix of valid log entries and invalid ones, ingest the # valid ones and drop the invalid ones instead of dropping everything. partial_success true @type windows_eventlog2 # Watch the main event channels channels application,system,security @type local persistent true # The path is a place holder that should be updated # during the agent install process. path .\Main\pos\winevtlog.pos # Read every 2 seconds. read_interval 2 tag winevt.raw