WINEVTLOG parsing failures ingesting Windows Forwarded Events from WEC server via BindPlane

Environment

• SIEM: Google SecOps (Chronicle)
• Collector: BindPlane (observIQ OTel Collector) — Docker deployment
• Log Source: Windows Event Collector (WEC) server — ForwardedEvents channel
• Log Type: WINEVTLOG
• Subscription modes tested: RenderedText and Events (both tested, both fail differently)

Architecture

Windows Endpoints → WEF (Windows Event Forwarding)
        ↓
WEC Server (ForwardedEvents channel)
        ↓
BindPlane OTel Collector (Docker)
        ↓
Google SecOps — WINEVTLOG parser

Problem Description

We are collecting Windows Security events forwarded from multiple endpoints to a central WEC server. BindPlane reads the ForwardedEvents channel and forwards to Google SecOps tagged as WINEVTLOG. Both available WEC subscription modes produce different but critical parsing failures.

Issue 1 — RenderedText mode: Duplicate <RenderingInfo> block

When the WEC subscription is set to RenderedText, the XML payload arrives at SecOps with two <RenderingInfo> blocks for the same event. The WINEVTLOG parser does not handle this and fails to produce valid UDM output.

Sample XML received (EventID 4688):

xml

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
  <System>
    <Provider Name='Microsoft-Windows-Security-Auditing'/>
    <EventID>4688</EventID>
    <TimeCreated SystemTime='2026-02-27T11:33:00.141Z'/>
    <Computer>Equipo011111.DOMAINXX.COM</Computer>
  </System>
  <EventData>
    <Data Name='SubjectUserName'>EQUIPO0XXXX$</Data>
    <Data Name='NewProcessName'>C:\Windows\System32\conhost.exe</Data>
    <Data Name='ParentProcessName'>C:\Windows\System32\netsh.exe</Data>
    <Data Name='CommandLine'></Data>
  </EventData>

  <!-- First RenderingInfo block -->
  <RenderingInfo Culture='en-US'>
    <Message>A new process has been created...</Message>
    <Task>Process Creation</Task>
    <Channel>Security</Channel>
  </RenderingInfo>

  <!-- DUPLICATE RenderingInfo block — causes parser failure -->
  <RenderingInfo Culture='en-US'>
    <Message>A new process has been created...</Message>
    <Level>Information</Level>
    <Task>Process Creation</Task>
    <Keywords><Keyword>Audit Success</Keyword></Keywords>
  </RenderingInfo>
</Event>

Issue 2 — Events mode: Unresolved message placeholders

When the WEC subscription is set to Events, the WEC server cannot resolve message strings because it lacks the message DLLs from the source endpoints. Fields appear as unresolved format specifiers:

xml

<RenderingInfo Culture='en-US'>
  <Message>
    Creator Process Name:  %14!S!
    Process Command Line:  %9!S!
    Mandatory Label:       %15
    Creator Process ID:    %8
  </Message>
</RenderingInfo>
```

---

**Comparison**

| Mode | Issue | Impact |
|------|-------|--------|
| RenderedText | Duplicate `<RenderingInfo>` in XML | Parser fails on events from WEC |
| Events | Unresolved `%N!S!` placeholders | Fields missing/garbage in UDM |
| Both | WINEVTLOG normalization incomplete | Detections and UEBA rules unreliable |

---

**Parsing Metrics (10,000 log sample)**
```
log_entry_count:                   10,000
successfully_normalized_log_count:  9,775  (97%)
failed_log_count:                     225
on_error_count:                 2,459,931  ← disproportionately high

The on_error_count of ~2.4M on a 10,000 log sample suggests a structural issue with how the ForwardedEvents XML is processed by the default WINEVTLOG parser, not just isolated failures.

What was already tried

• Changed WEC subscription from RenderedText to Events — different failure, not resolved
• Changed WEC subscription back from Events to RenderedText — duplicate RenderingInfo persists
• Verified BindPlane collector config — log type correctly set to WINEVTLOG
• Confirmed raw events arrive correctly in SecOps log viewer with valid XML structure

Questions

1. Does the default WINEVTLOG parser support the ForwardedEvents XML format when the WEC generates duplicate <RenderingInfo> blocks in RenderedText mode?
2. Is there a recommended BindPlane transform processor to strip or deduplicate <RenderingInfo> blocks before ingestion?
3. What is the recommended architecture for ingesting Windows Security events from a centralized WEC server via BindPlane?
4. How should a custom parser extension handle optional fields (like LogonType) without triggering on_error on every event that doesn't contain that field?