feat(sources): Add Windows Event Log source implementation

Implement comprehensive Windows Event Log source with full feature parity
to FluentBit's winevtlog plugin, including:

- Multi-channel support with configurable polling
- Advanced filtering (event ID, level, XPath queries, provider filtering)
- XML event parsing and field extraction
- Bookmark persistence for position tracking
- Comprehensive error handling and recovery
- Rich internal events for observability
- Extensive unit test coverage (500+ lines)
- Windows API integration via windows crate

The implementation follows Vector's architecture patterns and coding
standards, with proper feature gating and conditional compilation.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: sandervandegeijn

Cargo.lock

@@ -429,6 +429,8 @@ byteorder = "1.5.0"
 
 [target.'cfg(windows)'.dependencies]
 windows-service = "0.8.0"
+windows = { version = "0.58", features = ["Win32_System_EventLog", "Win32_Foundation", "Win32_System_Com"], optional = true }
+quick-xml = { version = "0.31", default-features = false, features = ["serialize"], optional = true }
 
 [target.'cfg(unix)'.dependencies]
 nix = { version = "0.26.2", default-features = false, features = ["socket", "signal"] }
@@ -490,7 +492,7 @@ docs = ["api", "api-client", "enrichment-tables", "sinks", "sources", "sources-d
 default-cmake = ["api", "api-client", "enrichment-tables", "rdkafka?/cmake_build", "sinks", "sources", "sources-dnstap", "transforms", "unix", "rdkafka?/gssapi-vendored", "secrets"]
 # Default features for *-pc-windows-msvc
 # TODO: Enable SASL https://github.com/vectordotdev/vector/pull/3081#issuecomment-659298042
-default-msvc = ["api", "api-client", "enrichment-tables", "rdkafka?/cmake_build", "sinks", "sources", "transforms", "secrets"]
+default-msvc = ["api", "api-client", "enrichment-tables", "rdkafka?/cmake_build", "sinks", "sources", "sources-windows_eventlog", "transforms", "secrets"]
 default-musl = ["api", "api-client", "enrichment-tables", "rdkafka?/cmake_build", "sinks", "sources", "sources-dnstap", "transforms", "unix", "rdkafka?/gssapi-vendored", "secrets"]
 default-no-api-client = ["api", "enrichment-tables", "sinks", "sources", "sources-dnstap", "transforms", "unix", "rdkafka?/gssapi-vendored", "secrets"]
 default-no-vrl-cli = ["api", "sinks", "sources", "sources-dnstap", "transforms", "unix", "rdkafka?/gssapi-vendored", "secrets"]
@@ -613,6 +615,7 @@ sources-logs = [
   "sources-syslog",
   "sources-vector",
   "sources-websocket",
+  "sources-windows_eventlog",
 ]
 sources-metrics = [
   "dep:prost",
@@ -688,6 +691,7 @@ sources-utils-net-tcp = ["listenfd", "dep:ipnet"]
 sources-utils-net-udp = ["listenfd"]
 sources-utils-net-unix = []
 sources-websocket = ["dep:tokio-tungstenite"]
+sources-windows_eventlog = ["dep:windows", "dep:quick-xml"]
 
 sources-vector = ["dep:prost", "dep:tonic", "protobuf-build"]
 

Cargo.toml

@@ -141,6 +141,8 @@ mod websocket;
 mod websocket_server;
 #[cfg(feature = "transforms-window")]
 mod window;
+#[cfg(feature = "sources-windows_eventlog")]
+mod windows_eventlog;
 
 #[cfg(any(
     feature = "sources-file",
@@ -292,6 +294,8 @@ pub(crate) use self::websocket_server::*;
 pub(crate) use self::window::*;
 #[cfg(windows)]
 pub(crate) use self::windows::*;
+#[cfg(all(windows, feature = "sources-windows_eventlog"))]
+pub(crate) use self::windows_eventlog::*;
 
 pub use self::{
     adaptive_concurrency::*, batch::*, common::*, conditions::*, encoding_transcode::*,