Winevtlog plugin does not include DST in UTC offset by laurensknoll · Pull Request #8386 · fluent/fluent-bit

laurensknoll · 2024-01-17T12:26:31Z

Winevtlog does not include DST in UTC offset

This change ensures that the local times emitted by the winevtlog input plugin include daylight savings time. Daylight savings time is respected as in the windows-exporter-metrics input plugin ref.

The issue arises when the Windows event log entry time (UTC) is converted into a local time, and becomes apparent after forwarding the event to Stackdriver (Google Cloud Logging):

Windows event log entries are created with a UTC-time:

<TimeCreated SystemTime="2024-01-15T15:48:24.0968832Z" />

The winevtlog input plugin outputs the value as local time
The time is displayed in local time (Sydney time zone, UTC +10:00), but does not include DST. The expected offset is +1100.

{ "TimeCreated"=>"2024-01-16 02:48:24 +1000" }

The event is outputted to stackdriver
The event time is outputted as timestamp ref in UTC.

{
  "jsonPayload": {
    "TimeCreated": "2024-01-16 02:48:24 +1000"
  },
  "timestamp": "2024-01-15T15:48:24Z",
  "receiveTimestamp": "2024-01-15T14:48:26.45698121Z",
}

The issue becomes apparent when Google Cloud Logging, on receive, adds a receiveTimestamp. This timestamp indicates that the event is from the future, because the UTC offset was not correct (+1000 instead of +1100 due to daylight savings time).

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

[ N/A ] Example configuration file for the change
This change does not add any new features to the Fluent Bit binary.
[ x ] Debug log output from testing the change
See below.
[ ? ] Attached Valgrind output that shows no leaks or memory corruption was found
Valgrind does not run on Windows. Any recommendations on running Valgrind otherwise?

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

[ N/A ] Run local packaging test showing all targets (including any new ones) build.
[ N/A ] Set ok-package-test label to test for all targets (requires maintainer to do).
This change does not touch the packaging.

Documentation

[ N/A ] Documentation required for this feature
The documentation does not mention UTC to local time conversion.

Backporting

Backport to latest stable release.
Unsure. Google Cloud Logging accepts entries up to 24 hours in the future. Impact on other outputs is not clear.

Debug output

Confirm +1000 offset via initial build
Debug output from non-fixed build:

PS C:\Develop\projects\fluent-bit\build> cmake --build .
PS C:\Develop\projects\fluent-bit\build> .\bin\debug\fluent-bit.exe -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout
Fluent Bit v2.2.2
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

____________________
< Fluent Bit v2.2.2 >
 -------------------
          \
           \
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX\
          /XXXXX(              )--_  XXXXXXXXXXX\
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""

[2024/01/17 21:20:45] [ info] [fluent bit] version=2.2.2, commit=e501cb5e2a, pid=11072
[2024/01/17 21:20:45] [ info] [storage] ver=1.5.1, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/01/17 21:20:45] [ info] [cmetrics] version=0.6.6
[2024/01/17 21:20:45] [ info] [ctraces ] version=0.4.0
[2024/01/17 21:20:45] [ info] [input:winevtlog:winevtlog.0] initializing
[2024/01/17 21:20:45] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2024/01/17 21:20:45] [ info] [sp] stream processor started
[2024/01/17 21:20:45] [ info] [output:stdout:stdout.0] worker #0 started
[0] winevtlog.0: [[1705486846.253341100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:03 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5027225. Current state is Installed. Target state is Installed. Client id: LCUReservicing.", "StringInserts"=>["KB5027225", 5112, "In12, "Installed", "LCUReservicing"]}]
[1] winevtlog.0: [[1705486846.253735700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:12 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"=5027225 was successfully changed to the Installed state.", "StringInserts"=>["KB5027225", 5112, "Installed", "0x0", "LCUReservicing"]}]
[2] winevtlog.0: [[1705486846.254048500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:03:50 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Windows ServerDatacenter Edition. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Windowsenter Edition", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[3] winevtlog.0: [[1705486846.254345700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:14 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Internet-Explorer-Optional-Package. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Inter-Optional-Package", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[4] winevtlog.0: [[1705486846.254622500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[5] winevtlog.0: [[1705486846.255106500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package SP1 Language Pack. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["SP1 Language Pack", 50ded", 5000, "Absent", "CbsTask"]}]
[6] winevtlog.0: [[1705486846.255402500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:53 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[7] winevtlog.0: [[1705486846.255656400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:54 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005552. Current state is Installed. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB5005552", 5112, "Installed", t", "CbsTask"]}]
[8] winevtlog.0: [[1705486846.255936200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 21:58:38 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005039. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB5005039", 5080, "Superseded"ent", "Arbiter"]}]
[9] winevtlog.0: [[1705486846.256186100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "Arbiter"]}]
[10] winevtlog.0: [[1705486846.256613800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[11] winevtlog.0: [[1705486846.256900400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[12] winevtlog.0: [[1705486846.257135500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[13] winevtlog.0: [[1705486846.257414600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[14] winevtlog.0: [[1705486846.257647000, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:20 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>11204, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Messageng changes for package KB5033914. Current state is Absent. Target state is Installed. Client id: WindowsUpdateAgent.", "StringInserts"=>["KB5033914", 5000, 12, "Installed", "WindowsUpdateAgent"]}]
[15] winevtlog.0: [[1705486846.258118800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:41 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034286. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034286", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[16] winevtlog.0: [[1705486846.258400600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:47 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"B5034286 was successfully changed to the Installed state.", "StringInserts"=>["KB5034286", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[17] winevtlog.0: [[1705486846.258646700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:39:00 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034129. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034129", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[18] winevtlog.0: [[1705486846.258914600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>4, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:48:24 +1000", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"is necessary before package KB5034129 can be changed to the Installed state.", "StringInserts"=>["KB5034129", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[2024/01/17 21:22:54] [engine] caught signal (SIGINT)
[2024/01/17 21:22:55] [ warn] [engine] service will shutdown in max 5 seconds
[2024/01/17 21:22:55] [ info] [input] pausing winevtlog.0
[2024/01/17 21:22:56] [ info] [engine] service has stopped (0 pending tasks)
[2024/01/17 21:22:56] [ info] [input] pausing winevtlog.0
[2024/01/17 21:22:56] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2024/01/17 21:22:56] [ info] [output:stdout:stdout.0] thread worker #0 stopped

Confirm +1100 offset from fixed build
Debug output from fixed build:

PS C:\Develop\projects\fluent-bit\build> .\bin\debug\fluent-bit.exe -i winevtlog -p 'channels=Setup' -p 'Read_Existing_Events=true' -o stdout
Fluent Bit v2.2.2
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

____________________
< Fluent Bit v2.2.2 >
 -------------------
          \
           \
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX\
          /XXXXX(              )--_  XXXXXXXXXXX\
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""

[2024/01/17 21:18:23] [ info] [fluent bit] version=2.2.2, commit=e501cb5e2a, pid=11000
[2024/01/17 21:18:23] [ info] [storage] ver=1.5.1, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/01/17 21:18:23] [ info] [cmetrics] version=0.6.6
[2024/01/17 21:18:23] [ info] [ctraces ] version=0.4.0
[2024/01/17 21:18:23] [ info] [input:winevtlog:winevtlog.0] initializing
[2024/01/17 21:18:23] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2024/01/17 21:18:23] [ info] [sp] stream processor started
[2024/01/17 21:18:23] [ info] [output:stdout:stdout.0] worker #0 started
[0] winevtlog.0: [[1705486704.852283800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:03 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5027225. Current state is Installed. Target state is Installed. Client id: LCUReservicing.", "StringInserts"=>["KB5027225", 5112, "In12, "Installed", "LCUReservicing"]}]
[1] winevtlog.0: [[1705486704.853372500, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-07 23:58:12 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>8636, "ThreadID"=>9188, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"=5027225 was successfully changed to the Installed state.", "StringInserts"=>["KB5027225", 5112, "Installed", "0x0", "LCUReservicing"]}]
[2] winevtlog.0: [[1705486704.854291400, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:03:50 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Windows ServerDatacenter Edition. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Windowsenter Edition", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[3] winevtlog.0: [[1705486704.855180600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:14 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package Internet-Explorer-Optional-Package. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["Inter-Optional-Package", 5080, "Superseded", 5000, "Absent", "CbsTask"]}]
[4] winevtlog.0: [[1705486704.856016700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[5] winevtlog.0: [[1705486704.857075200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:13:16 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package SP1 Language Pack. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["SP1 Language Pack", 50ded", 5000, "Absent", "CbsTask"]}]
[6] winevtlog.0: [[1705486704.857979100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:53 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "CbsTask"]}]
[7] winevtlog.0: [[1705486704.858821200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2023-07-08 00:18:54 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>544, "ThreadID"=>10220, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005552. Current state is Installed. Target state is Absent. Client id: CbsTask.", "StringInserts"=>["KB5005552", 5112, "Installed", t", "CbsTask"]}]
[8] winevtlog.0: [[1705486704.859664300, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 21:58:38 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB5005039. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB5005039", 5080, "Superseded"ent", "Arbiter"]}]
[9] winevtlog.0: [[1705486704.860488600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qua, "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecordtivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"= changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded", t", "Arbiter"]}]
[10] winevtlog.0: [[1705486704.861534700, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[11] winevtlog.0: [[1705486704.862422800, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[12] winevtlog.0: [[1705486704.863324900, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[13] winevtlog.0: [[1705486704.864135900, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-12 22:00:48 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>2412, "ThreadID"=>4344, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB777778. Current state is Superseded. Target state is Absent. Client id: Arbiter.", "StringInserts"=>["KB777778", 5080, "Superseded",nt", "Arbiter"]}]
[14] winevtlog.0: [[1705486704.865001200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:20 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>11204, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Messageng changes for package KB5033914. Current state is Absent. Target state is Installed. Client id: WindowsUpdateAgent.", "StringInserts"=>["KB5033914", 5000, 12, "Installed", "WindowsUpdateAgent"]}]
[15] winevtlog.0: [[1705486704.866214100, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:41 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034286. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034286", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[16] winevtlog.0: [[1705486704.867038600, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>2, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:38:47 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4804, "ThreadID"=>9456, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"B5034286 was successfully changed to the Installed state.", "StringInserts"=>["KB5034286", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[17] winevtlog.0: [[1705486704.867873200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>1, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:39:00 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"g changes for package KB5034129. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU.", "StringInserts"=>["KB5034129", 5000, "AbseInstalled", "UpdateAgentLCU"]}]
[18] winevtlog.0: [[1705486704.868700200, {}], {"ProviderName"=>"Microsoft-Windows-Servicing", "ProviderGuid"=>"{BD12F3B8-FC40-4A61-A307-B7A013A069C1}", "Qu", "EventID"=>4, "Version"=>0, "Level"=>0, "Task"=>1, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024-01-16 02:48:24 +1100", "EventRecorctivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>6180, "ThreadID"=>9816, "Channel"=>"Setup", "Computer"=>"task-runner", "UserID"=>"S-1-5-18", "Message"is necessary before package KB5034129 can be changed to the Installed state.", "StringInserts"=>["KB5034129", 5112, "Installed", "0x0", "UpdateAgentLCU"]}]
[2024/01/17 21:19:45] [engine] caught signal (SIGINT)
[2024/01/17 21:19:46] [ warn] [engine] service will shutdown in max 5 seconds
[2024/01/17 21:19:46] [ info] [input] pausing winevtlog.0
[2024/01/17 21:19:47] [ info] [engine] service has stopped (0 pending tasks)
[2024/01/17 21:19:47] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2024/01/17 21:19:47] [ info] [input] pausing winevtlog.0
[2024/01/17 21:19:47] [ info] [output:stdout:stdout.0] thread worker #0 stopped

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Signed-off-by: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com>

github-actions · 2024-04-17T01:49:52Z

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

laurensknoll · 2024-04-17T07:18:02Z

Hi @edsiper , @leonardo-albertovich , @fujimotos and @koleini , Could you tell me what is needed to get the PR under review?

github-actions · 2024-07-18T01:53:55Z

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

laurensknoll · 2024-07-19T14:14:47Z

Hi @edsiper , @leonardo-albertovich , @fujimotos and @koleini , Could you tell me what is needed to get the PR under review? The item has turned stale by now.

github-actions · 2024-12-14T02:07:42Z

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

cosmo0920

It's not recommended way to convert DST. This is because this hand-written conversion is only active for activated system for DST.
If we could use well maintained functions for this type of conversions, we need to use them.

I sent another PR:
#10628

cosmo0920 · 2025-07-31T02:37:37Z

Superseded by #10628.

laurensknoll · 2025-07-31T18:17:15Z

Thanks for fixing the issue @cosmo0920 👍

Great to see the use of the DynamicTimeZoneInformation function. Please note that the non-dynamic/custom method is still used by the in_windows_exporter_metrics-plugin. Could you take a look at that as well?

fluent-bit/plugins/in_windows_exporter_metrics/we_os.c

Lines 226 to 246 in 2b9741c

    
           tztype = GetTimeZoneInformation(&tzi); 
        
           switch (tztype) { 
        
           case TIME_ZONE_ID_STANDARD: 
        
               displaytz = we_convert_wstr(tzi.StandardName, CP_UTF8); 
        
               cmt_gauge_set(ctx->os->tz, timestamp, 1.0, 1, (char *[]) {displaytz}); 
        
               flb_free(displaytz); 
        
               break; 
        
           case TIME_ZONE_ID_DAYLIGHT: 
        
               displaytz = we_convert_wstr(tzi.DaylightName, CP_UTF8); 
        
               cmt_gauge_set(ctx->os->tz, timestamp, 1.0, 1, (char *[]) {displaytz}); 
        
               flb_free(displaytz); 
        
               break; 
        
           case TIME_ZONE_ID_UNKNOWN: 
        
               /* The current timezone does not use daylight saving time. */ 
        
               displaytz = we_convert_wstr(tzi.StandardName, CP_UTF8); 
        
               cmt_gauge_set(ctx->os->tz, timestamp, 1.0, 1, (char *[]) {displaytz}); 
        
               flb_free(displaytz); 
        
               break; 
        
           default: 
        
               flb_plg_error(ctx->ins, "Error to retrieve timezone information with status: %d", GetLastError()); 
        
           }

cosmo0920 · 2025-08-01T06:52:04Z

Ah, thanks for the catch of remaining usages of static TimeZone handling functions. I'll handle them! 👍

in_winevtlog: include daylight savings time offset to utc offset

f2e6efe

Signed-off-by: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com>

laurensknoll requested review from edsiper, fujimotos, koleini and leonardo-albertovich as code owners January 17, 2024 12:26

github-actions bot added the docs-required label Jan 17, 2024

laurensknoll mentioned this pull request Jan 17, 2024

Winevtlog does not include DST in UTC offset #8385

Closed

1 task

github-actions bot added the Stale label Apr 17, 2024

github-actions bot removed the Stale label Apr 19, 2024

github-actions bot added the Stale label Jul 18, 2024

github-actions bot removed the Stale label Jul 20, 2024

github-actions bot added the Stale label Dec 14, 2024

github-actions bot removed the Stale label Mar 22, 2025

cosmo0920 mentioned this pull request Jul 22, 2025

in_winevtlog: Handle Daylight saving time by using newer functions #10628

Merged

7 tasks

cosmo0920 requested changes Jul 22, 2025

View reviewed changes

cosmo0920 closed this Jul 31, 2025

cosmo0920 mentioned this pull request Aug 2, 2025

in_windows_exporter_metrics: Handle DST more precisely with dynamic timezone verison of functions #10676

Merged

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winevtlog plugin does not include DST in UTC offset#8386

Winevtlog plugin does not include DST in UTC offset#8386
laurensknoll wants to merge 1 commit intofluent:masterfrom
laurensknoll:winevtlog-include-dst

laurensknoll commented Jan 17, 2024

Uh oh!

github-actions bot commented Apr 17, 2024

Uh oh!

laurensknoll commented Apr 17, 2024

Uh oh!

github-actions bot commented Jul 18, 2024

Uh oh!

laurensknoll commented Jul 19, 2024

Uh oh!

github-actions bot commented Dec 14, 2024

Uh oh!

cosmo0920 left a comment •

edited

Loading

Uh oh!

cosmo0920 commented Jul 31, 2025

Uh oh!

laurensknoll commented Jul 31, 2025

Uh oh!

cosmo0920 commented Aug 1, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

laurensknoll commented Jan 17, 2024

Debug output

Uh oh!

github-actions bot commented Apr 17, 2024

Uh oh!

laurensknoll commented Apr 17, 2024

Uh oh!

github-actions bot commented Jul 18, 2024

Uh oh!

laurensknoll commented Jul 19, 2024

Uh oh!

github-actions bot commented Dec 14, 2024

Uh oh!

cosmo0920 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cosmo0920 commented Jul 31, 2025

Uh oh!

laurensknoll commented Jul 31, 2025

Uh oh!

cosmo0920 commented Aug 1, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

cosmo0920 left a comment •

edited

Loading