From 0ec4d880d70e8e279e8a625532b570dbef4dbfa3 Mon Sep 17 00:00:00 2001
From: "Grot (@grafanabot)" <43478413+grafanabot@users.noreply.github.com>
Date: Thu, 23 Feb 2023 18:33:44 +0100
Subject: [PATCH] [release-2.7.x] Promtail: Fix collecting userdata field from
 Windows Event Log (#8605)

Backport 17c36d60f3bbfb1517d01fc85fd5e3ac025d2789 from #7461

---------

Co-authored-by: MarNicGit <47538428+MarNicGit@users.noreply.github.com>
Co-authored-by: DylanGuedes <djmgguedes@gmail.com>
---
 CHANGELOG.md                                        | 8 ++++++++
 clients/pkg/promtail/targets/windows/format.go      | 2 +-
 clients/pkg/promtail/targets/windows/target_test.go | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 42a3489ddfe1..8fb7d48f7559 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,14 @@
 
 ### Dependencies
 
+## 2.7.4 (2023-02-23)
+
+#### Promtail
+
+##### Fixes
+
+* [7461](https://github.com/grafana/loki/pull/7461) **MarNicGit**: Promtail: Fix collecting userdata field from Windows Event Log
+
 ## 2.7.3 (2023-02-01)
 
 #### Loki
diff --git a/clients/pkg/promtail/targets/windows/format.go b/clients/pkg/promtail/targets/windows/format.go
index a1f139ab5dc2..03c83ef54ce1 100644
--- a/clients/pkg/promtail/targets/windows/format.go
+++ b/clients/pkg/promtail/targets/windows/format.go
@@ -80,7 +80,7 @@ func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.
 		structuredEvent.EventData = string(event.EventData.InnerXML)
 	}
 	if !cfg.ExcludeUserData {
-		structuredEvent.UserData = string(event.EventData.InnerXML)
+		structuredEvent.UserData = string(event.UserData.InnerXML)
 	}
 	if event.Correlation.ActivityID != "" || event.Correlation.RelatedActivityID != "" {
 		structuredEvent.Correlation = &Correlation{
diff --git a/clients/pkg/promtail/targets/windows/target_test.go b/clients/pkg/promtail/targets/windows/target_test.go
index 4c098f3101c7..fffc123af550 100644
--- a/clients/pkg/promtail/targets/windows/target_test.go
+++ b/clients/pkg/promtail/targets/windows/target_test.go
@@ -156,7 +156,7 @@ func Test_renderEntries(t *testing.T) {
 			Labels: model.LabelSet{"channel": "channel", "computer": "local", "job": "windows-events"},
 			Entry: logproto.Entry{
 				Timestamp: time.Unix(0, 1).UTC(),
-				Line:      `{"source":"Application","channel":"channel","computer":"local","event_id":10,"version":10,"level":10,"task":10,"opCode":10,"keywords":"keywords","timeCreated":"1970-01-01T00:00:00.000000001Z","eventRecordID":11,"correlation":{"activityID":"some activity","relatedActivityID":"some related activity"},"execution":{"processId":1,"threadId":5},"security":{"userId":"1"},"user_data":"eventdata","event_data":"eventdata","message":"message"}`,
+				Line:      `{"source":"Application","channel":"channel","computer":"local","event_id":10,"version":10,"level":10,"task":10,"opCode":10,"keywords":"keywords","timeCreated":"1970-01-01T00:00:00.000000001Z","eventRecordID":11,"correlation":{"activityID":"some activity","relatedActivityID":"some related activity"},"execution":{"processId":1,"threadId":5},"security":{"userId":"1"},"user_data":"userdata","event_data":"eventdata","message":"message"}`,
 			},
 		},
 	}, entries)