Winevtlog does not include DST in UTC offset by laurensknoll · Pull Request #8385 · fluent/fluent-bit

laurensknoll · 2024-01-17T11:36:30Z

This change ensures that the local times emitted by the winevtlog input plugin include daylight savings time. Daylight savings time is respected as in the windows-exporter-metrics input plugin ref.

The issue arises when the Windows event log entry time (UTC) is converted into a local time, and becomes apparent after forwarding the event to Stackdriver (Google Cloud Logging):

Windows event log entries are created with a UTC-time:

<TimeCreated SystemTime="2024-01-15T15:48:24.0968832Z" />

The winevtlog input plugin outputs the value as local time
The time is displayed in local time (Sydney time zone, UTC +10:00), but does not include DST. The expected offset is +1100.

{ "TimeCreated"=>"2024-01-16 02:48:24 +1000" }

The event is outputted to stackdriver
The event time is outputted as timestamp ref in UTC.

{
  "jsonPayload": {
    "TimeCreated": "2024-01-16 02:48:24 +1000"
  },
  "timestamp": "2024-01-15T15:48:24Z",
  "receiveTimestamp": "2024-01-15T14:48:26.45698121Z",
}

The issue becomes apparent when Google Cloud Logging, on receive, adds a receiveTimestamp. This timestamp indicates that the event is from the future, because the UTC offset was not correct (+1000 instead of +1100 due to daylight savings time).

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

[ N/A ] Example configuration file for the change
This change does not add any new features to the Fluent Bit binary.
[ x ] Debug log output from testing the change
See below.
[ ? ] Attached Valgrind output that shows no leaks or memory corruption was found
Valgrind does not run on Windows. Any recommendations on running Valgrind otherwise?

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

[ N/A ] Run local packaging test showing all targets (including any new ones) build.
[ N/A ] Set ok-package-test label to test for all targets (requires maintainer to do).
This change does not touch the packaging.

Documentation

[ N/A ] Documentation required for this feature
The documentation does not mention UTC to local time conversion.

Backporting

Backport to latest stable release.
Unsure. Google Cloud Logging accepts entries up to 24 hours in the future. Impact on other outputs is not clear.

Debug output

Confirm +1000 offset via initial build
Debug output from non-fixed build:

PS C:\Develop\projects\fluent-bit\build> cmake --build .
PS C:\Develop\projects\fluent-bit\build> .\bin\debug\fluent-bit.exe -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout
Fluent Bit v2.2.2
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

____________________
< Fluent Bit v2.2.2 >
 -------------------
          \
           \
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX\
          /XXXXX(              )--_  XXXXXXXXXXX\
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""

[2024/01/17 21:20:45] [ info] [fluent bit] version=2.2.2, commit=e501cb5e2a, pid=11072
[2024/01/17 21:20:45] [ info] [storage] ver=1.5.1, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/01/17 21:20:45] [ info] [cmetrics] version=0.6.6
[2024/01/17 21:20:45] [ info] [ctraces ] version=0.4.0
[2024/01/17 21:20:45] [ info] [input:winevtlog:winevtlog.0] initializing
[2024/01/17 21:20:45] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2024/01/17 21:20:45] [ info] [sp] stream processor started
[2024/01/17 21:20:45] [ info] [output:stdout:stdout.0] worker #0 started
[0] winevtlog.0: [[1705486846.253341100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:03 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5027225. Current state is Installed. Target state is Installed. Client id: LCUReservicing.", "StringInserts"=>["KB5027225", 5112, "In12, "Installed", "LCUReservicing"]}]
[1] winevtlog.0: [[1705486846.253735700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:12 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"=5027225 was successfully changed to the Installed state.", "StringInserts"=>["KB5027225", 5112, "Installed", "0x0", "LCUReservicing"]}]
[2] winevtlog.0: [[1705486846.254048500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:03:50 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Windows ServerDatacenter Edition. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Windowsenter Edition", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[3] winevtlog.0: [[1705486846.254345700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:14 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Internet-Explorer-Optional-Package. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Inter-Optional-Package", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[4] winevtlog.0: [[1705486846.254622500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[5] winevtlog.0: [[1705486846.255106500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package SP1 Language Pack. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["SP1 Language Pack", 50ded", 5000, "Absent", "CbsTask"]}]
[6] winevtlog.0: [[1705486846.255402500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:53 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[7] winevtlog.0: [[1705486846.255656400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:54 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005552. Current state is Installed. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB5005552", 5112, "Installed", t", "CbsTask"]}]
[8] winevtlog.0: [[1705486846.255936200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 21:58:38 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005039. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB5005039", 5080, "Superseded"ent", "Arbiter"]}]
[9] winevtlog.0: [[1705486846.256186100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "Arbiter"]}]
[10] winevtlog.0: [[1705486846.256613800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[11] winevtlog.0: [[1705486846.256900400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[12] winevtlog.0: [[1705486846.257135500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[13] winevtlog.0: [[1705486846.257414600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[14] winevtlog.0: [[1705486846.257647000, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:20 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>11204, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Messageng changes for package KB5033914. Current state is Absent. Target state is Installed. Client id: WindowsUpdateAgent.", "StringInserts"=>["KB5033914", 5000, 12, "Installed", "WindowsUpdateAgent"]}]
[15] winevtlog.0: [[1705486846.258118800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:41 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034286. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034286", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[16] winevtlog.0: [[1705486846.258400600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"B5034286 was successfully changed to the Installed state.", "StringInserts"=>["KB5034286", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[17] winevtlog.0: [[1705486846.258646700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:39:00 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034129. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034129", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[18] winevtlog.0: [[1705486846.258914600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>4, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:48:24 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"is necessary before package KB5034129 can be changed to the Installed state.", "StringInserts"=>["KB5034129", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[2024/01/17 21:22:54] [engine] caught signal (SIGINT)
[2024/01/17 21:22:55] [ warn] [engine] service will shutdown in max 5 seconds
[2024/01/17 21:22:55] [ info] [input] pausing winevtlog.0
[2024/01/17 21:22:56] [ info] [engine] service has stopped (0 pending tasks)
[2024/01/17 21:22:56] [ info] [input] pausing winevtlog.0
[2024/01/17 21:22:56] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2024/01/17 21:22:56] [ info] [output:stdout:stdout.0] thread worker #0 stopped

Confirm +1100 offset from fixed build
Debug output from fixed build:

PS C:\Develop\projects\fluent-bit\build> .\bin\debug\fluent-bit.exe -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout
Fluent Bit v2.2.2
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

____________________
< Fluent Bit v2.2.2 >
 -------------------
          \
           \
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX\
          /XXXXX(              )--_  XXXXXXXXXXX\
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""

[2024/01/17 21:18:23] [ info] [fluent bit] version=2.2.2, commit=e501cb5e2a, pid=11000
[2024/01/17 21:18:23] [ info] [storage] ver=1.5.1, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/01/17 21:18:23] [ info] [cmetrics] version=0.6.6
[2024/01/17 21:18:23] [ info] [ctraces ] version=0.4.0
[2024/01/17 21:18:23] [ info] [input:winevtlog:winevtlog.0] initializing
[2024/01/17 21:18:23] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2024/01/17 21:18:23] [ info] [sp] stream processor started
[2024/01/17 21:18:23] [ info] [output:stdout:stdout.0] worker #0 started
[0] winevtlog.0: [[1705486704.852283800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:03 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5027225. Current state is Installed. Target state is Installed. Client id: LCUReservicing.", "StringInserts"=>["KB5027225", 5112, "In12, "Installed", "LCUReservicing"]}]
[1] winevtlog.0: [[1705486704.853372500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:12 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"=5027225 was successfully changed to the Installed state.", "StringInserts"=>["KB5027225", 5112, "Installed", "0x0", "LCUReservicing"]}]
[2] winevtlog.0: [[1705486704.854291400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:03:50 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Windows ServerDatacenter Edition. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Windowsenter Edition", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[3] winevtlog.0: [[1705486704.855180600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:14 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Internet-Explorer-Optional-Package. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Inter-Optional-Package", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[4] winevtlog.0: [[1705486704.856016700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[5] winevtlog.0: [[1705486704.857075200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package SP1 Language Pack. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["SP1 Language Pack", 50ded", 5000, "Absent", "CbsTask"]}]
[6] winevtlog.0: [[1705486704.857979100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:53 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[7] winevtlog.0: [[1705486704.858821200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:54 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005552. Current state is Installed. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB5005552", 5112, "Installed", t", "CbsTask"]}]
[8] winevtlog.0: [[1705486704.859664300, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 21:58:38 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005039. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB5005039", 5080, "Superseded"ent", "Arbiter"]}]
[9] winevtlog.0: [[1705486704.860488600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "Arbiter"]}]
[10] winevtlog.0: [[1705486704.861534700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[11] winevtlog.0: [[1705486704.862422800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[12] winevtlog.0: [[1705486704.863324900, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[13] winevtlog.0: [[1705486704.864135900, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[14] winevtlog.0: [[1705486704.865001200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:20 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>11204, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Messageng changes for package KB5033914. Current state is Absent. Target state is Installed. Client id: WindowsUpdateAgent.", "StringInserts"=>["KB5033914", 5000, 12, "Installed", "WindowsUpdateAgent"]}]
[15] winevtlog.0: [[1705486704.866214100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:41 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034286. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034286", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[16] winevtlog.0: [[1705486704.867038600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"B5034286 was successfully changed to the Installed state.", "StringInserts"=>["KB5034286", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[17] winevtlog.0: [[1705486704.867873200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:39:00 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034129. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034129", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[18] winevtlog.0: [[1705486704.868700200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>4, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:48:24 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"is necessary before package KB5034129 can be changed to the Installed state.", "StringInserts"=>["KB5034129", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[2024/01/17 21:19:45] [engine] caught signal (SIGINT)
[2024/01/17 21:19:46] [ warn] [engine] service will shutdown in max 5 seconds
[2024/01/17 21:19:46] [ info] [input] pausing winevtlog.0
[2024/01/17 21:19:47] [ info] [engine] service has stopped (0 pending tasks)
[2024/01/17 21:19:47] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2024/01/17 21:19:47] [ info] [input] pausing winevtlog.0
[2024/01/17 21:19:47] [ info] [output:stdout:stdout.0] thread worker #0 stopped

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

laurensknoll · 2024-01-17T12:27:08Z

Fixed commit messages in secondary branch. New PR: #8386

laurensknoll added 2 commits January 12, 2024 16:41

in_winevtlog: include daylight savings time offset to utc offset

e501cb5

Merge branch 'master' into winevtlog-include-utc-offset

6580b10

laurensknoll requested review from edsiper, fujimotos, koleini and leonardo-albertovich as code owners January 17, 2024 11:36

github-actions bot added the docs-required label Jan 17, 2024

laurensknoll closed this Jan 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winevtlog does not include DST in UTC offset#8385

Winevtlog does not include DST in UTC offset#8385
laurensknoll wants to merge 2 commits intofluent:masterfrom
laurensknoll:winevtlog-include-dst-in-utc-offset

laurensknoll commented Jan 17, 2024

Uh oh!

laurensknoll commented Jan 17, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Comments

Conversation

laurensknoll commented Jan 17, 2024

Debug output

Uh oh!

laurensknoll commented Jan 17, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Comments