[release-2.7.x] Promtail: Fix collecting userdata field from Windows …

…Event Log (#8605) Backport 17c36d6 from #7461 --------- Co-authored-by: MarNicGit <47538428+MarNicGit@users.noreply.github.com> Co-authored-by: DylanGuedes <djmgguedes@gmail.com>
grafana · Feb 23, 2023 · 0ec4d88 · 0ec4d88
1 parent 2ad1944
commit 0ec4d88
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,14 @@
 
 ### Dependencies
 
+## 2.7.4 (2023-02-23)
+
+#### Promtail
+
+##### Fixes
+
+* [7461](https://github.com/grafana/loki/pull/7461) **MarNicGit**: Promtail: Fix collecting userdata field from Windows Event Log
+
 ## 2.7.3 (2023-02-01)
 
 #### Loki

diff --git a/clients/pkg/promtail/targets/windows/format.go b/clients/pkg/promtail/targets/windows/format.go
@@ -80,7 +80,7 @@ func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.
 		structuredEvent.EventData = string(event.EventData.InnerXML)
 	}
 	if !cfg.ExcludeUserData {
-		structuredEvent.UserData = string(event.EventData.InnerXML)
+		structuredEvent.UserData = string(event.UserData.InnerXML)
 	}
 	if event.Correlation.ActivityID != "" || event.Correlation.RelatedActivityID != "" {
 		structuredEvent.Correlation = &Correlation{

diff --git a/clients/pkg/promtail/targets/windows/target_test.go b/clients/pkg/promtail/targets/windows/target_test.go
@@ -156,7 +156,7 @@ func Test_renderEntries(t *testing.T) {
 			Labels: model.LabelSet{"channel": "channel", "computer": "local", "job": "windows-events"},
 			Entry: logproto.Entry{
 				Timestamp: time.Unix(0, 1).UTC(),
-				Line:      `{"source":"Application","channel":"channel","computer":"local","event_id":10,"version":10,"level":10,"task":10,"opCode":10,"keywords":"keywords","timeCreated":"1970-01-01T00:00:00.000000001Z","eventRecordID":11,"correlation":{"activityID":"some activity","relatedActivityID":"some related activity"},"execution":{"processId":1,"threadId":5},"security":{"userId":"1"},"user_data":"eventdata","event_data":"eventdata","message":"message"}`,
+				Line:      `{"source":"Application","channel":"channel","computer":"local","event_id":10,"version":10,"level":10,"task":10,"opCode":10,"keywords":"keywords","timeCreated":"1970-01-01T00:00:00.000000001Z","eventRecordID":11,"correlation":{"activityID":"some activity","relatedActivityID":"some related activity"},"execution":{"processId":1,"threadId":5},"security":{"userId":"1"},"user_data":"userdata","event_data":"eventdata","message":"message"}`,
 			},
 		},
 	}, entries)