Skip to main content
Solved

Edge Node Configuration Issue: JSON Format Not Natively Supported For Windows Event Logs

  • January 16, 2026
  • 5 replies
  • 15 views
M
This message originated from Cribl Community Slack.
Click here to view the original link.

Going through the interface of configuring an Edge node on Windows - there's a toggle for Windows Event Logs to collect in XML or JSON. JSON isn't native, so is there something behind the scenes going on with Edge that allows this? Traditionally with Steam you use the Windows pack to do the conversions

Best answer by pdugas

We run the XML parser on the original event (see __winEvent.parsedXML) and build the JSON object from fields there. The JSON object mostly matches the structure emitted by the original version of the source that was running PowerShell commands and relying on their JSON formating.

5 replies

P
  • pdugas
  • Employee
  • January 16, 2026
The Windows EventLog API yields XML. If you need the data in JSON for routing, filtering, etc then it's least expensive to enable the JSON option. See the internal __winEvent property for the OG data.
M
  • matthew.filler985
  • Author
  • Participating Frequently
  • January 16, 2026
Right. My question is what is Cribl doing on the backend when that toggle is flipped to enable JSON
P
  • pdugas
  • Employee
  • Answer
  • January 16, 2026
We run the XML parser on the original event (see __winEvent.parsedXML) and build the JSON object from fields there. The JSON object mostly matches the structure emitted by the original version of the source that was running PowerShell commands and relying on their JSON formating.
P
  • pdugas
  • Employee
  • January 16, 2026
I remember there were some minor differences but I'd have to dig through release notes to recall the specifics.
M
  • matthew.filler985
  • Author
  • Participating Frequently
  • January 16, 2026
Oh nice. Thx for that
Terms & ConditionsAccessibility statement