Forward scheduled tasks Event Viewer logs using Infrastructure agent

In the Windows Event Viewer, logs are available under Applications and Services Logs/Microsoft/Windows/TaskScheduler/Operational . I’m looking to forward only events under this with particular Event IDs, e.g. 322.

How should this be defined in the logging.yml file? I’ve looked at the example here and in the winlog.yml.example file without any success.

 # entries for the application, system, powershell, and SCOM channels
  - name: windows-application
    winlog: 
       channel: Application
  - name: windows-system
    winlog: 
       channel: System
  - name: windows-pshell
    winlog: 
       channel: Windows Powershell
  - name: scom
    winlog: 
       channel: Operations Manager

Also, what are the implications of unintentionally forwarding a large number of events?

Hi @RunRun there are some helpful examples in our documentation.

Doing something like the Windows Defender example coupled with the examples for collecting event-ids should get you what you need.

Unintentionally forwarding a large number of logs would count towards the among of data ingested by New Relic which could result in higher charges.

It’s possible that with a large enough amount of events you could see some rate limits as well which you can read about here.

Hope that helps!

Hi @troycox ,

I attempted the following in my C:\Program Files\New Relic\newrelic-infra\logging.d\logs.yml file but these events are not being forwarded even though I purposely generated scheduled task errors with those specific event IDs:

logs:
#  - name: windows-security
#    winlog:
#      channel: Security
#      collect-eventids:
#      - 4740
#      - 4728
#      - 4732
#      - 4756
#      - 4735
#      - 4624
#      - 4625
#      - 4648

#  - name: windows-application
#    winlog:
#      channel: Application

#  - name: newrelic-cli.log
#    file: C:\Users\Administrator.THEHOUSERULES\.newrelic\newrelic-cli.log
#    attributes:
#      newrelic-cli: true

  # Entry for Windows Task Scheduler Logs
  - name: windows-taskscheduler
    winlog:
      channel: Microsoft-Windows-TaskScheduler/Operational
      collect-eventids:
        - 101
        - 103
        - 203
        - 322
        - 329

Is there any other way to forward scheduled task run errors?

I noticed that removing the collect-eventids filtering from the above configuration results in some empty events appearing in New Relic > Logs but without the event messages, so just date and time.

I think there is a problem with Fluent-Bit as per this issue: https://github.com/fluent/fluent-bit/issues/3383

@troycox Do you have any information about the Fluent Bit v1.9.0.rc1?

Hi @RunRun you are correct there is a bug currently with Fluent Bit.

The Fluent Bit log forwarder is an open source project that is not directly handled by New Relic. We assume the fix will be included in the next Fluent Bit release. A summary of the issue is below.

Classic Windows EventLog channels are handled correctly.
But it looks like Microsoft-Windows-TaskScheduler/Operational is not one of the classic EventLog channels. “New” EventLog channels are stored with evtx format that is not handled correctly by winlog plugin and Fluent Bit.

The progress on this Issue and pull request can be tracked via the following links:

1 Like

The issue has been fixed in fluent-bit since version 1.9.0, by the introduction of a new plugin - winevtlog: add new winevtlog input plugin (#4179)

winevtlog: Implement winevtlog plugin by cosmo0920 · Pull Request #4179 · fluent/fluent-bit (github.com)

The latest version of the infrastructure agent (1.24.2) includes fluent-bit 1.9.1, but unfortunately you are still using the old plugin, e.g. winlog, so the issue still exists.

Are you able to confirm that you are working on an update to the infrastructure agent to call the new plugin, e.g. winevtlog?

Hi @Mark.Davies1

Thank you for reaching back out. Currently @troycox is out of office, I will loop him in and request he reply via this post to your update.

Hi @Mark.Davies1, while I can’t speak for the particular team working on that product or their road-map we are always working to improve our platforms.

Since this particular change is tied to the fluentbit version I would recommend keeping an eye on our release notes for changes to the underlying version of fluentbit.

Thanks!

Hi, does this problem persist? There is a way to read those events by another means and for new relic to count those that are errors.
image

Hi, @Nicole_Pina: You might try the Windows Event Log integration and see if it does what you need.

I need to read the logs of Microsoft-Windows-TaskScheduler/Operational

You will have to try it and see if it works.

If that link you give me is blocked because it is a github. And my question was in relation to FluentBit.

Hey @Nicole_Pina,

Were you ever able to access the page that was linked above? I am not having issues with accessing this and I want to make sure you are not having troubles still.

The error persist:

image

Hello @Nicole_Pina,

Do you have the updated agent version, and fluent bit packaged by our agent?

Best Regards
Yasahswi verma

The server have the 1.27.1 Infraestructure Agent Version, and the fluent-bit yes is the original:

image

@yverma1

Hi, Update the agent version but the error remains. Even for other channels, how can the bug be reported to New Relic?

@Nicole_Pina

Thank you for the additional context here.

I have gone head and looped in the support engineer here for logs, as I can not pinpoint why this is still persisting.

The tricky part is fluentbit is 3rd party but I must admit it usually works. Its possible the logs format is off which could be causing the issue. Can you send a direct message to me with a sample of the logs formatting. As it may aid the support engineer here.

What format of the log do you need? Event Viewer, Task scheduler or New Relic