getting process/command line information from winevtlog

[mmguero]

I'm comparing output from fluent bit's winevtlog input to similar tools such as Winlogbeat and evtx.

With these other tools, process information about an executable (e.g., C:\Program Files\Google\Chrome\Application\chrome.exe) or command line (e.g., C:\Windows\System32\RuntimeBroker.exe -Embedding) are available in specific fields for these values. With fluent bit's winevtlog, I can sometimes see executable names in the stringinserts, but this is much less convenient than filtering directly on a field intended for this purpose.

Is there a way to get this sort of process information in the output of fluent bit's windows event log input? Or do I have to do post-processing of StringInserts and look for strings ending in .exe or something like that to get the same effect?

[mmguero]

And honestly, it's not just process information, but much more than that as well: process names, process PIDs, usernames, accounts and domains, most of the other tools I'm seeing parse this information out. With winevtlog I can see these values in the Message field, but that's just a block of text vs. these values being parsed into the appropriate fields by other tools, from what I'm seeing.

[patrick-stephens]

@cosmo0920 likely knows the best but I suspect the data is not parsed at the moment - now you can add a parser yeah as a filter/processor for the input to do it. I'm not sure if this input is so wildly varied across Windows versions, etc. that it did not make sense at the time to have them parsed out (plus everyone would want something slightly different).

[cosmo0920]

Yup, in winevtlog plugin, the message field is already interpolated by string inserts variables.
If they are existing in the string inserts, the message block already contains their values in it.
ProcessID, ThreadID, ActivityID, Channel, Computer and etc. are also stored as a key-value in the same records when collecting Windows EventLogs.