Source windows_event_log fails when subscribing to Analytics/Debug channels

[egglessness]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

When using the windows_event_log source to fetch events from Analytics or Debug channels, Vector is unable to complete the subscription.

The issue stems from the fact that Analytics/Debug events are pushed in so called "direct channels" which, differently from Admin/Operational logs, cannot be accessed via the EvtSubscribe API, but only via ETW real-time sessions (StartTrace, EnableTraceEx).
See: https://learn.microsoft.com/en-us/previous-versions//aa385225(v=vs.85)#event-types-and-channel-groups

In my case, I wanted to collect DNS logs from the Microsoft-Windows-DNSServer/Analytical provider, and I get this error:

Failed to create event subscription: The request is not supported. (0x80070032)

Is there any chance that Vector could implement a real-time ETW listener for this kind of logs?
At that point, it would be a very good of telemetry sources for security purposes.

Configuration

sources:
  windows_events:
    data_dir: "C:\\ProgramData\\vector"
    type: windows_event_log
    channels: ["Microsoft-Windows-DNSServer/Analytical"]
    only_event_ids: [257]

transforms:
  filter_fields:
    type: remap
    inputs:
      - windows_events
    source: |
      . = {
        "timestamp": .timestamp,
        "source_ip": .event_data.Destination,
        "query_name": .event_data.QNAME,
        "query_type": .event_data.QTYPE,
        "resolver_ip": .event_data.InterfaceIP
      }

sinks:
  console:
    type: console
    encoding:
        codec: json
    inputs:
      - filter_fields

Version

0.55.0

Debug Output

2026-06-09T10:45:23.567419Z DEBUG vector::app: Internal log rate limit configured. internal_log_rate_secs=10
2026-06-09T10:45:23.567842Z  INFO vector::app: Log level is enabled. level="debug"
2026-06-09T10:45:23.568019Z DEBUG vector::app: Building runtime. worker_threads=4
2026-06-09T10:45:23.569075Z  INFO vector::app: Loading configs. paths=["C:\\Program Files\\Vector\\config\\vector.yaml"]
2026-06-09T10:45:23.570769Z DEBUG vector::config::loading::secret: No secret placeholder found, skipping secret resolution.
2026-06-09T10:45:23.573348Z DEBUG vector::topology::builder: Building new source. component_id=windows_events
2026-06-09T10:45:23.574766Z DEBUG vector::topology::builder: Building new transform. component_id=filter_fields
2026-06-09T10:45:23.575805Z DEBUG vector::topology::builder: Building new sink. component_id=console
2026-06-09T10:45:23.576392Z  INFO vector::topology::running: Running healthchecks.
2026-06-09T10:45:23.576596Z DEBUG vector::topology::running: Connecting changed/added component(s).
2026-06-09T10:45:23.576628Z  INFO vector::topology::builder: Healthcheck passed.
2026-06-09T10:45:23.576793Z DEBUG vector::topology::running: Configuring outputs for source. component_id=windows_events
2026-06-09T10:45:23.577106Z DEBUG vector::topology::running: Configuring output for component. component_id=windows_events output_id=None
2026-06-09T10:45:23.577311Z DEBUG vector::topology::running: Configuring outputs for transform. component_id=filter_fields
2026-06-09T10:45:23.577501Z DEBUG vector::topology::running: Configuring output for component. component_id=filter_fields output_id=None
2026-06-09T10:45:23.577694Z DEBUG vector::topology::running: Connecting inputs for transform. component_id=filter_fields
2026-06-09T10:45:23.577888Z DEBUG vector::topology::running: Adding component input to fanout. component_id=filter_fields fanout_id=windows_events
2026-06-09T10:45:23.578104Z DEBUG vector::topology::running: Connecting inputs for sink. component_id=console
2026-06-09T10:45:23.578287Z DEBUG vector::topology::running: Adding component input to fanout. component_id=console fanout_id=filter_fields
2026-06-09T10:45:23.578520Z DEBUG vector::topology::running: Spawning new source. component_id=windows_events
2026-06-09T10:45:23.578783Z DEBUG vector::topology::running: Spawning new transform. component_id=filter_fields
2026-06-09T10:45:23.578825Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source pump supervisor starting.
2026-06-09T10:45:23.578877Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source starting.
2026-06-09T10:45:23.579186Z DEBUG sink{component_kind="sink" component_id=console component_type=console}: vector::topology::builder: Sink starting.
2026-06-09T10:45:23.579234Z  INFO vector: Vector has started. debug="false" version="0.55.0" arch="x86_64" revision="3ca3e61 2026-04-21 05:47:19.716367954"
2026-06-09T10:45:23.579362Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source pump starting.
2026-06-09T10:45:23.579580Z DEBUG transform{component_kind="transform" component_id=filter_fields component_type=remap}: vector::topology::builder: Synchronous transform starting.
2026-06-09T10:45:23.580003Z  INFO vector::app: API is disabled, enable by setting `api.enabled` to `true` and use commands like `vector top`.
2026-06-09T10:45:23.580956Z  INFO source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::checkpoint: Loaded existing checkpoints. channels=3 path=C:\ProgramData\vector\windows_events\windows_event_log_checkpoints.json
2026-06-09T10:45:23.581261Z  INFO source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::checkpoint: Windows Event Log checkpointer initialized. checkpoint_path=C:\ProgramData\vector\windows_events\windows_event_log_checkpoints.json channels=3
2026-06-09T10:45:23.583178Z  INFO source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::subscription: No checkpoint found, creating fresh bookmark. channel=Microsoft-Windows-DNSServer/Analytical
2026-06-09T10:45:23.583527Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::bookmark: Created new bookmark. handle=EVT_HANDLE(1)
2026-06-09T10:45:23.583750Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::subscription: Creating pull-mode subscription. channel=Microsoft-Windows-DNSServer/Analytical query=*[System[EventID=257]] has_valid_checkpoint=false read_existing=false flags="0x1"
2026-06-09T10:45:23.588327Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log::bookmark: Closed bookmark handle. handle=EVT_HANDLE(1)
2026-06-09T10:45:23.599052Z  INFO vector_common::shutdown: All sources have finished.
2026-06-09T10:45:23.599705Z ERROR source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::sources::windows_event_log: Windows Event Log source failed. error=Failed to create event subscription: The request is not supported. (0x80070032)
2026-06-09T10:45:23.599941Z  INFO vector_common::shutdown: Internal log [All sources have finished.] is being suppressed to avoid flooding.
2026-06-09T10:45:23.601067Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source finished normally.
2026-06-09T10:45:23.601869Z  INFO vector::app: All sources have finished.
2026-06-09T10:45:23.602758Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source pump finished normally.
2026-06-09T10:45:23.603461Z  INFO vector: Vector is stopping.
2026-06-09T10:45:23.604411Z DEBUG source{component_kind="source" component_id=windows_events component_type=windows_event_log}: vector::topology::builder: Source pump supervisor task finished normally.
2026-06-09T10:45:23.605155Z DEBUG sink{component_kind="sink" component_id=console component_type=console}: vector::utilization: Couldn't send utilization start wait message. component_id=ComponentKey { id: "console" } error="Closed(..)"
2026-06-09T10:45:23.605180Z DEBUG transform{component_kind="transform" component_id=filter_fields component_type=remap}: vector::topology::builder: Synchronous transform finished normally.
2026-06-09T10:45:23.606748Z DEBUG sink{component_kind="sink" component_id=console component_type=console}: vector::utilization: Couldn't send utilization stop wait message. component_id=ComponentKey { id: "console" } error="Closed(..)"
2026-06-09T10:45:23.608360Z DEBUG sink{component_kind="sink" component_id=console component_type=console}: vector::topology::builder: Sink finished normally.
2026-06-09T10:45:23.609245Z  INFO vector: Vector has stopped.

Example Data

No response

Additional Context

To reproduce the issue:

• On Windows Server box, enable the DNS Server role (Server manager > Manage > Add Roles and Features).
• Use the following commands to ensure the channel is disabled:

wevtutil set-log "Microsoft-Windows-DNSServer/Analytical" /enabled:false

• Start Vector with the attached configuration file

References

No response