How to fetch remote windows event logs with minifi agent and ConsumeWindowsEventLog processor

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to fetch remote windows event logs with minifi agent and ConsumeWindowsEventLog processor

Jagan
Hi all...

I am trying to fetch remote windows server event logs in two ways
1.by installing minifi agent on the remote server and then created a minifi
config.yml with ConsumeWindowsEventLog processor and Remote process group

after that I have started minifi agent where ConsumeWindowsEventLog
processor able to read logs from windows event log but was not able to send
them to Remote process group here messages are getting queued and not
reaching Remote process group

where I have seen following error in minifi agent logs

2018-10-31 21:02:36,690 WARN [main] org.apache.nifi.minifi.FlowEnricher
Could not find any eligible bundles for
org.apache.nifi.processors.windows.event.log.ConsumeWindowsEventLog.
Automatic start of the flow cannot be guaranteed.
2018-10-31 21:02:41,011 WARN [main] o.a.n.c.StandardFlowSynchronizer Schema
validation error parsing Flow Configuration at line 16, col 27:
cvc-complex-type.2.4.a: Invalid content was found starting with element
'maxConcurrentTasks'. One of '{bundle}' is expected.
2018-10-31 21:02:41,489 ERROR [main] o.apache.nifi.controller.FlowController
Could not create Processor of type
org.apache.nifi.processors.windows.event.log.ConsumeWindowsEventLog for ID
2b67acce-9365-3433-0000-000000000000; creating "Ghost" implementation
org.apache.nifi.controller.exception.ProcessorInstantiationException: Unable
to find bundle for coordinate default:unknown:unversioned at
org.apache.nifi.controller.FlowController.instantiateProcessor(FlowController.java:1271)

please suggest me how can I overcome this error...
and the second method is

2..by installing minifi agent on the remote server and then created a minifi
config.yml with tailfile processor and Remote process group
here I am specifying the file  location of
Application.evtx(C:\Windows\System32\winevt\Logs\Application.evtx
)

will this method work for fetching remote windows server event logs because
when I try this I got no response from tail file processor

and please suggest me if there are better ways to do this

Thank you all...



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: How to fetch remote windows event logs with minifi agent and ConsumeWindowsEventLog processor

Aldrin Piri
Hello,

Did you add the windows-event-log nar to your MiNiFi distribution?  This is
not a bundle that is automatically included.  The log is creating a ghost
implementation as it cannot find a backing implementation for that
component coordinate.  This is likely the best approach but you will need
to augment the standard minifi distribution to also support this
functionality.

As far as your second approach, this is unlikely to be the result you are
looking for.  To the best of my knowledge, the evtx format is a format that
would not lend itself well to the appended log format TailFile is expecting.

On Thu, Nov 1, 2018 at 12:23 PM Jagan <[hidden email]> wrote:

> Hi all...
>
> I am trying to fetch remote windows server event logs in two ways
> 1.by installing minifi agent on the remote server and then created a
> minifi
> config.yml with ConsumeWindowsEventLog processor and Remote process group
>
> after that I have started minifi agent where ConsumeWindowsEventLog
> processor able to read logs from windows event log but was not able to send
> them to Remote process group here messages are getting queued and not
> reaching Remote process group
>
> where I have seen following error in minifi agent logs
>
> 2018-10-31 21:02:36,690 WARN [main] org.apache.nifi.minifi.FlowEnricher
> Could not find any eligible bundles for
> org.apache.nifi.processors.windows.event.log.ConsumeWindowsEventLog.
> Automatic start of the flow cannot be guaranteed.
> 2018-10-31 21:02:41,011 WARN [main] o.a.n.c.StandardFlowSynchronizer Schema
> validation error parsing Flow Configuration at line 16, col 27:
> cvc-complex-type.2.4.a: Invalid content was found starting with element
> 'maxConcurrentTasks'. One of '{bundle}' is expected.
> 2018-10-31 21:02:41,489 ERROR [main]
> o.apache.nifi.controller.FlowController
> Could not create Processor of type
> org.apache.nifi.processors.windows.event.log.ConsumeWindowsEventLog for ID
> 2b67acce-9365-3433-0000-000000000000; creating "Ghost" implementation
> org.apache.nifi.controller.exception.ProcessorInstantiationException:
> Unable
> to find bundle for coordinate default:unknown:unversioned at
>
> org.apache.nifi.controller.FlowController.instantiateProcessor(FlowController.java:1271)
>
> please suggest me how can I overcome this error...
> and the second method is
>
> 2..by installing minifi agent on the remote server and then created a
> minifi
> config.yml with tailfile processor and Remote process group
> here I am specifying the file  location of
> Application.evtx(C:\Windows\System32\winevt\Logs\Application.evtx
> )
>
> will this method work for fetching remote windows server event logs because
> when I try this I got no response from tail file processor
>
> and please suggest me if there are better ways to do this
>
> Thank you all...
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>