Bindplane agent & Windows logs : Removal of a specific XML element via processors

Hello everyone,

I have setup a Windows log collection via the Bindplane agent, everything is working fine. I just have one small issue with the logs : rawlog format is XML, it contains a key "RenderingInfo", that is useless and very verbose & that I would like to ditch at the agent level. A sample raw log is attached at the end of the post for reference. I am not sure what processor to use to remove this part of the raw log.

Supported processors : https://github.com/observIQ/bindplane-otel-collector/blob/main/docs/processors.md

I saw that attributeprocessor could meet my needs, but it is unclear to me how we can provide provide keys to target for removal since the log is just considered as a string at this point and not structured data, even though it is XML.
I also saw the transform processor could meet my needs.

Does anyone have a feedback on a similar use-case ? Which processor suits best to achieve this ?

Sample log, I would like to remove the <RenderingInfo> part, which is not useful and verbose :

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-05-19T13:16:23.206070000Z'/><EventRecordID>7586385</EventRecordID><Correlation/><Execution ProcessID='600' ThreadID='2496'/><Channel>Security</Channel><Computer>redacted_wks1.redacted_DOMAIN.sevenkingdoms.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-24270624-539530251-1652834652-1010</Data><Data Name='TargetUserName'>redacted_USERNAME</Data><Data Name='TargetDomainName'>redacted_DOMAIN</Data><Data Name='TargetLogonId'>0x2c6d75</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>redacted_WKSNAME</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.0.1</Data><Data Name='IpPort'>50375</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData><RenderingInfo Culture='en-US'><Message>An account was successfully logged on.







Subject:



	Security ID:		S-1-0-0



	Account Name:		-



	Account Domain:		-



	Logon ID:		0x0







Logon Information:



	Logon Type:		3



	Restricted Admin Mode:	-



	Virtual Account:		No



	Elevated Token:		Yes







Impersonation Level:		Impersonation







New Logon:



	Security ID:		S-1-5-21-24270624-539530251-1652834652-1010



	Account Name:		redacted_USERNAME



	Account Domain:		redacted_DOMAIN



	Logon ID:		0x2C6D75



	Linked Logon ID:		0x0



	Network Account Name:	-



	Network Account Domain:	-



	Logon GUID:		{00000000-0000-0000-0000-000000000000}







Process Information:



	Process ID:		0x0



	Process Name:		-







Network Information:



	Workstation Name:	redacted_WKSNAME



	Source Network Address:	10.0.0.1



	Source Port:		50375







Detailed Authentication Information:



	Logon Process:		NtLmSsp 



	Authentication Package:	NTLM



	Transited Services:	-



	Package Name (NTLM only):	NTLM V2



	Key Length:		128







This event is generated when a logon session is created. It is generated on the computer that was accessed.







The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.







The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).







The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.







The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.







The impersonation level field indicates the extent to which a process in the logon session can impersonate.







The authentication information fields provide detailed information about this specific logon request.



	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.



	- Transited services indicate which intermediate services have participated in this logon request.



	- Package name indicates which sub-protocol was used among the NTLM protocols.



	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.</Message><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>

Thanks in advance for your inputs 🙂
Best regards

Page 1 / 1

Hi @chrisd2 . Have you tried using the Parse XML processor for this use case yet?

https://bindplane.com/docs/resources/processors/parse-xml

After parsing the source XML I would think the next step is to reduce the XML (maybe with a Delete Fields processor if you have it available)?

@chrisd2 We have a Bindplane webinar on May 29th. You should attend and see if it helps with some of your use cases and questions.

Hi @chrisd2 . Have you tried using the Parse XML processor for this use case yet?

https://bindplane.com/docs/resources/processors/parse-xml

After parsing the source XML I would think the next step is to reduce the XML (maybe with a Delete Fields processor if you have it available)?

Hello @vaskenh,

Thanks, I'll keep your inputs in my notes. Although your suggestion is GUI-related, I guess that it uses the `transform`processor (link) with `parse_xml` (link) OTTL function under the hood (I need to configure the agent through the config file since the target lab server is deployed via Ansible).

By looking at other OTTL functions for the `transform`processor, I noticed also the `RemoveXML` (link) func that could be just what I need in one go !

"The RemoveXML Converter returns an edited version of an XML string with selected elements removed."

Anyway, as @matthewnichols suggested, I'll attend the next Bindplane webinar on May 29th and ask them directly, I'd like to make sure that I chose the most lightweight solution 🙂

@chrisd2 We have a Bindplane webinar on May 29th. You should attend and see if it helps with some of your use cases and questions.

Hello @matthewnichols , thanks for the suggestion ! I'll attend it. Will update this post with the chosen solution 🙂

That's great @chrisd2 Looking forward to seeing you online next week. And what solution helps you the best!

I had a quick (ctrl+f) look at WINEVTLOG parser, I saw mentions of "RenderingInfo" inside of it for multiple subfields, so I ended up removing only the "Message" field to minimize impact.

I added a `transform` processor in the agent config that uses the `set` OTTL function with the `RemoveXML` converter targeting the "Message" field, overwriting the whole log body and effectively removing the Message field. Everything works fine. Not much time for testing so I could not compare performance vs simple regex matching/replace on the raw log via `replace_pattern` OTTL func for example.

Resulting config:

receivers:

  windowseventlog/wec-authentication:

    channel: WEC-Authentication

    max_reads: 100

    poll_interval: 1s

    raw: true

    start_at: end



  # [...] Other WEC subscriptions



processors:

  # Optimize bandwidth, best practice

  batch:

  # Edit logs on-the-fly

  transform:

    error_mode: ignore

    log_statements:

      # Remove bloat XML element <Message> that holds some human readable data

      # redundant with the rest of the log.

      - set(log.body, RemoveXML(log.body, "/Event/RenderingInfo/Message"))



exporters:

  chronicle/chronicle_w_labels:

      compression: gzip

      # [...] Other config items for chronicle exporter



service:

  pipelines:

      logs/source0__chronicle_w_labels-0:

        receivers:

          - windowseventlog/wec-authentication

          # - [...] Other WEC subscriptions

        processors:

          - batch

          - transform

        exporters:

          - chronicle/chronicle_w_labels

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded