@type windows_eventlog channels application, system read_interval 5 tag winevt.raw @type grep key EventID pattern 5156 @type parser key_name message @type regexp expression /EventID="(?\d+)"\.\s+SourceName="(?\S+)"\.\s+RecordNumber="(?\d+)"\.\s+ExecutionProcessID="(?\d+)"\.\s+ExecutionThreadID="(?\d+)"\.\s+Channel="(?\S+)"\.\s+Object Server:\s+(?\S+)\.\s+Object Name:\s+(?\S+)\.\s+Process Name:\s+(?\S+)\.\s+Category="(?\S+)"\.\s+SubjectUserName="(?\S+)"\s+SubjectDomainName="(?\S+)"\.\s+ObjectType="(?\S+)"\.\s+PrivilegeList=\s+(?[\S\s]+?)\r\.\s+Application=\s+(?\S+)\.\s+Direction="(?\d+)"\.\s+SourceAddress="(?\S+)"\.\s+SourcePort="(?\d+)"\.\s+DestAddress="(?\S+)"\.\s+DestPort="(?\d+)"\.\s+Protocol="(?\d+)"\.\s+LayerName="(?\d+)"/ @type sql host 10.10.10.243 port 3306 database datadb adapter mysql2 username admin password pwd$#1 table datawintb column_mapping 'EventID:EventID,SourceName:SourceName,RecordNumber:RecordNumber,ExecutionProcessID:ExecutionProcessID,ExecutionThreadID:ExecutionThreadID,Channel:Channel,ObjectServer:ObjectServer,ObjectName:ObjectName,ProcessName:ProcessName,Category:Category,SubjectUserName:SubjectUserName,SubjectDomainName:SubjectDomainName,ObjectType:ObjectType,PrivilegeList:PrivilegeList,Application:Application,Direction:Direction,SourceAddress:SourceAddress,SourcePort:SourcePort,DestAddress:DestAddress,DestPort:DestPort,Protocol:Protocol,LayerName:LayerName' query INSERT INTO WEID (EventID, SourceName, RecordNumber, ExecutionProcessID, ExecutionThreadID, Channel, ObjectServer, ObjectName, ProcessName, Category, SubjectUserName, SubjectDomainName, ObjectType, PrivilegeList, Application, Direction, SourceAddress, SourcePort, DestAddress, DestPort, Protocol, LayerName) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) @type memory chunk_limit_size 5MB flush_interval 1s