in_winevtlog: Plug glitches of time offset for DST/STD switches

[cosmo0920]

Closes #11213.

There's DST/STD offset glitches under "TimeCreated" key's values.
This also should be handled with DynamicTimeZoneInformation related APIs.

This PR fixes this type of glitches.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

PS> bin/fluent-bit -i winevtlog -p Channels=System -o stdout

• Debug log output from testing the change

* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _             ___   _____
|  ___| |                | |   | ___ (_) |           /   | / __  \
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `' / /'
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |   / /
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |_./ /___
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)_____/

             Fluent Bit v4.2 ΓÇô Direct Routes Ahead
         Celebrating 10 Years of Open, Fluent Innovation!

[2025/12/15 07:55:03.948546100] [ info] Configuration:
[2025/12/15 07:55:03.948799400] [ info]  flush time     | 1.000000 seconds
[2025/12/15 07:55:03.948826000] [ info]  grace          | 5 seconds
[2025/12/15 07:55:03.948842500] [ info]  daemon         | 0
[2025/12/15 07:55:03.948857400] [ info] ___________
[2025/12/15 07:55:03.948872200] [ info]  inputs:
[2025/12/15 07:55:03.948886900] [ info]      winevtlog
[2025/12/15 07:55:03.948901300] [ info] ___________
[2025/12/15 07:55:03.948916300] [ info]  filters:
[2025/12/15 07:55:03.948931200] [ info] ___________
[2025/12/15 07:55:03.948946200] [ info]  outputs:
[2025/12/15 07:55:03.948961000] [ info]      stdout.0
[2025/12/15 07:55:03.948975800] [ info] ___________
[2025/12/15 07:55:03.948990500] [ info]  collectors:
[2025/12/15 07:55:03.950108300] [ info] [fluent bit] version=4.2.1, commit=c06c12449f, pid=26188
[2025/12/15 07:55:03.950126500] [debug] [engine] maxstdio set: 512
[2025/12/15 07:55:03.950138500] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2025/12/15 07:55:03.950355100] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/12/15 07:55:03.950367000] [ info] [simd    ] SSE2
[2025/12/15 07:55:03.950373700] [ info] [cmetrics] version=1.0.5
[2025/12/15 07:55:03.950381900] [ info] [ctraces ] version=0.6.6
[2025/12/15 07:55:03.950609800] [ info] [input:winevtlog:winevtlog.0] initializing
[2025/12/15 07:55:03.950620600] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2025/12/15 07:55:03.950714700] [debug] [winevtlog:winevtlog.0] created event channels: read=788 write=792
[2025/12/15 07:55:03.950729400] [debug] [input:winevtlog:winevtlog.0] connect to local machine
[2025/12/15 07:55:03.950737000] [debug] [input:winevtlog:winevtlog.0] read limit per cycle is set up as 512.0K
[2025/12/15 07:55:03.951244800] [debug] [stdout:stdout.0] created event channels: read=828 write=832
[2025/12/15 07:55:03.952084300] [ info] [sp] stream processor started
[2025/12/15 07:55:03.952339600] [ info] [output:stdout:stdout.0] worker #0 started
[2025/12/15 07:55:03.952466200] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/12/15 07:55:09.978571000] [debug] [input:winevtlog:winevtlog.0] read 584 bytes from 'System'
[2025/12/15 07:55:10.962507800] [debug] [task] created task=000001FC2BE78CE0 id=0 OK
[2025/12/15 07:55:10.962675200] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[0] winevtlog.0: [[1765781709.978298100, {}], {"ProviderName"=>"Netwaw18", "ProviderGuid"=>"", "Qualifiers"=>16384, "EventID"=>7021, "Version"=>0, "Level"=>4, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x80000000000000", "TimeCreated"=>"2025-12-15 07:55:09 +0100", "EventRecordID"=>48032, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4, "ThreadID"=>37060, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"", "Message"=>"", "StringInserts"=>["", "000088000100B400000000006D1B0040000000000000000000000000000000000000000000000000000000000B0000000D000000F0F84A819378000042756666616C6F2D41362D333436302D5750413300000000000000000000000088030A0064536EC0010000000100000008000000000000000000000000000000000000000000000000000000000000000000010005090AB401000100504A0D030204000006000000000000000100000001000000"]}]
[2025/12/15 07:55:10.970031600] [debug] [out flush] cb_destroy coro_id=0
[2025/12/15 07:55:10.970196200] [debug] [task] destroy task=000001FC2BE78CE0 (task_id=0)
[2025/12/15 07:55:13] [engine] caught signal (SIGINT)
[2025/12/15 07:55:14.46741300] [ warn] [engine] service will shutdown in max 5 seconds
[2025/12/15 07:55:14.46860300] [ info] [engine] pausing all inputs..
[2025/12/15 07:55:14.46870900] [ info] [input] pausing winevtlog.0
[2025/12/15 07:55:15.54323300] [ info] [engine] service has stopped (0 pending tasks)
[2025/12/15 07:55:15.54347000] [ info] [input] pausing winevtlog.0
[2025/12/15 07:55:15.54626300] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2025/12/15 07:55:15.54953700] [ info] [output:stdout:stdout.0] thread worker #0 stopped

"TimeCreated"=>"2025-12-15 07:55:09 +0100" contains +0100 offset now.

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Bug Fixes
  • Improved Windows event log timestamp formatting to ISO8601 with explicit timezone offset (±HHMM), correctly accounting for daylight/standard time adjustments for accurate local times and more reliable error handling when timezone conversions fail.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The head commit changed during the review from 7df71d1 to 418e9dd.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The pack_filetime implementation in the winevtlog plugin was replaced to compute local timestamps by converting FILETIME → UTC SYSTEMTIME, obtaining dynamic timezone info via GetDynamicTimeZoneInformation, converting to local SYSTEMTIME with SystemTimeToTzSpecificLocalTimeEx, computing bias (including daylight/standard adjustments), and formatting an ISO-like "YYYY-MM-DD HH:MM:SS ±HHMM" string.

Changes

Cohort / File(s)	Summary
Timezone offset fix in winevtlog plugins/in_winevtlog/pack.c	Rewrote pack_filetime: added stdlib.h include; convert FILETIME→UTC SYSTEMTIME; call GetDynamicTimeZoneInformation; convert UTC→local with SystemTimeToTzSpecificLocalTimeEx; compute bias using DYNAMIC_TIME_ZONE_INFORMATION (including Daylight/Standard adjustments), invert sign for ISO8601 offset and derive HHMM; format "YYYY-MM-DD HH:MM:SS ±HHMM" and append to encoder; return -1 on errors.

Sequence Diagram(s)

sequenceDiagram
    participant pack_filetime as pack_filetime()
    participant WinAPI as Windows API
    participant Encoder as log_encoder

    pack_filetime->>WinAPI: FileTimeToSystemTime(&st_utc)
    pack_filetime->>WinAPI: GetDynamicTimeZoneInformation(&dtzi)
    pack_filetime->>WinAPI: SystemTimeToTzSpecificLocalTimeEx(&dtzi, &st_utc, &st_local)
    pack_filetime->>pack_filetime: compute bias, offset sign, HHMM
    pack_filetime->>pack_filetime: format "YYYY-MM-DD HH:MM:SS ±HHMM"
    pack_filetime->>Encoder: append formatted timestamp
    alt any API error
        pack_filetime->>pack_filetime: return -1
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review timezone bias calculation (Daylight vs Standard handling).
• Verify correct use and error handling of GetDynamicTimeZoneInformation and SystemTimeToTzSpecificLocalTimeEx.
• Confirm formatted offset sign and zero-padding for hours/minutes in all timezone scenarios.
• Check error propagation to caller and encoder append behavior.

Possibly related PRs

• in_windows_exporter_metrics: Handle DST more precisely with dynamic timezone verison of functions #10676 — Also changes Windows timezone handling to use dynamic timezone APIs (GetDynamicTimeZoneInformation / DYNAMIC_TIME_ZONE_INFORMATION).

Suggested reviewers

• edsiper
• fujimotos
• koleini

Poem

🐰 I hopped through clocks and Windows' maze,
Turned FILETIME bright to local days.
With dynamic bias, signed and true,
I stamp the time with ±HHMM for you.
🥕🕰️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing timezone offset glitches during DST/STD switches in the winevtlog input's TimeCreated field.
Linked Issues check	✅ Passed	The code changes fully address the requirements from issue #11213 by implementing proper DynamicTimeZoneInformation handling and timezone offset calculation.
Out of Scope Changes check	✅ Passed	All changes in pack.c are directly scoped to fixing the timezone offset handling in the pack_filetime function, with no unrelated modifications.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

plugins/in_winevtlog/pack.c (2)

26-26: Unused include.

The <stdlib.h> include appears to be unused in this file. Consider removing it if not needed.

---

297-312: Consider handling TIME_ZONE_ID_INVALID.

GetDynamicTimeZoneInformation can return TIME_ZONE_ID_INVALID (0xFFFFFFFF) on failure. While rare, the current code would proceed with potentially uninitialized dtzi values.

     tz_id = GetDynamicTimeZoneInformation(&dtzi);
+    if (tz_id == TIME_ZONE_ID_INVALID) {
+        return -1;
+    }

     if (!SystemTimeToTzSpecificLocalTimeEx(&dtzi, &st_utc, &st_local)) {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c06c124 and d614e5f.

📒 Files selected for processing (1)

• plugins/in_winevtlog/pack.c (2 hunks)

🧰 Additional context used

🧠 Learnings (7)

📚 Learning: 2025-08-31T12:46:11.940Z

Learnt from: ThomasDevoogdt
Repo: fluent/fluent-bit PR: 9277
File: .github/workflows/pr-compile-check.yaml:147-151
Timestamp: 2025-08-31T12:46:11.940Z
Learning: In fluent-bit CMakeLists.txt, the system library preference flags are defined as FLB_PREFER_SYSTEM_LIB_ZSTD and FLB_PREFER_SYSTEM_LIB_KAFKA with the FLB_ prefix.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-08-29T06:25:02.561Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10794
File: tests/internal/aws_compress.c:7-7
Timestamp: 2025-08-29T06:25:02.561Z
Learning: In Fluent Bit, ZSTD (zstandard) compression library is bundled directly in the source tree at `lib/zstd-1.5.7` and is built unconditionally as a static library. Unlike optional external dependencies, ZSTD does not use conditional compilation guards like `FLB_HAVE_ZSTD` and is always available. Headers like `<fluent-bit/flb_zstd.h>` can be included directly without guards.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-08-29T06:25:27.250Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10794
File: tests/internal/aws_compress.c:93-107
Timestamp: 2025-08-29T06:25:27.250Z
Learning: In Fluent Bit, ZSTD compression is enabled by default and is treated as a core dependency, not requiring conditional compilation guards like `#ifdef FLB_HAVE_ZSTD`. Unlike some other optional components such as ARROW/PARQUET (which use `#ifdef FLB_HAVE_ARROW` guards), ZSTD support is always available and doesn't need build-time conditionals. ZSTD headers are included directly without guards across multiple plugins and core components.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-08-29T06:24:44.797Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10794
File: src/aws/flb_aws_compress.c:26-26
Timestamp: 2025-08-29T06:24:44.797Z
Learning: In Fluent Bit, ZSTD support is always available and enabled by default. The build system automatically detects and uses either the system libzstd library or builds the bundled ZSTD version. Unlike other optional dependencies like Arrow which use conditional compilation guards (e.g., FLB_HAVE_ARROW), ZSTD does not require conditional includes or build flags.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-11-21T06:23:29.770Z

Learnt from: cosmo0920
Repo: fluent/fluent-bit PR: 11171
File: include/fluent-bit/flb_lib.h:52-53
Timestamp: 2025-11-21T06:23:29.770Z
Learning: In Fluent Bit core (fluent/fluent-bit repository), function descriptions/documentation are not required for newly added functions in header files.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-08-29T06:24:55.855Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10794
File: src/aws/flb_aws_compress.c:52-56
Timestamp: 2025-08-29T06:24:55.855Z
Learning: ZSTD compression is always available in Fluent Bit and does not require conditional compilation guards. Unlike Arrow/Parquet which use #ifdef FLB_HAVE_ARROW guards, ZSTD is built unconditionally with flb_zstd.c included directly in src/CMakeLists.txt and a bundled ZSTD library at lib/zstd-1.5.7/.

Applied to files:

• plugins/in_winevtlog/pack.c

📚 Learning: 2025-08-29T06:24:26.170Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10794
File: tests/internal/aws_compress.c:39-42
Timestamp: 2025-08-29T06:24:26.170Z
Learning: In Fluent Bit, ZSTD compression support is enabled by default and does not require conditional compilation guards (like #ifdef FLB_HAVE_ZSTD) around ZSTD-related code declarations and implementations.

Applied to files:

• plugins/in_winevtlog/pack.c

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: PR - fuzzing test
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: pr-compile-centos-7
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)

🔇 Additional comments (2)

plugins/in_winevtlog/pack.c (2)

304-325: Timezone offset calculation is correct.

The sign inversion logic properly converts Windows bias (local→UTC) to ISO8601 offset (UTC→local). This should correctly produce +0100 for CET as required by the linked issue.

---

327-347: LGTM!

The manual string formatting correctly produces the ISO8601-like timestamp with explicit timezone offset. The buffer size is adequate and error handling is present.

[cosmo0920]

With this patch, Fluent Bit can handle time zone offset changes at runtime across the different TimeZones:

Fluent Bit v4.2.1
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _             ___   _____
|  ___| |                | |   | ___ (_) |           /   | / __  \
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `' / /'
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |   / /
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |_./ /___
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)_____/

             Fluent Bit v4.2 ΓÇô Direct Routes Ahead
         Celebrating 10 Years of Open, Fluent Innovation!

[2025/12/15 08:11:09.306357600] [ info] Configuration:
[2025/12/15 08:11:09.306681800] [ info]  flush time     | 1.000000 seconds
[2025/12/15 08:11:09.306744900] [ info]  grace          | 5 seconds
[2025/12/15 08:11:09.306786800] [ info]  daemon         | 0
[2025/12/15 08:11:09.306819800] [ info] ___________
[2025/12/15 08:11:09.306852300] [ info]  inputs:
[2025/12/15 08:11:09.306884300] [ info]      winevtlog
[2025/12/15 08:11:09.306916000] [ info] ___________
[2025/12/15 08:11:09.306947600] [ info]  filters:
[2025/12/15 08:11:09.306979700] [ info] ___________
[2025/12/15 08:11:09.307012100] [ info]  outputs:
[2025/12/15 08:11:09.307066700] [ info]      stdout.0
[2025/12/15 08:11:09.307118300] [ info] ___________
[2025/12/15 08:11:09.307153100] [ info]  collectors:
[2025/12/15 08:11:09.308852300] [ info] [fluent bit] version=4.2.1, commit=c06c12449f, pid=39088
[2025/12/15 08:11:09.308894200] [debug] [engine] maxstdio set: 512
[2025/12/15 08:11:09.308917800] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2025/12/15 08:11:09.309221700] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/12/15 08:11:09.309240600] [ info] [simd    ] SSE2
[2025/12/15 08:11:09.309249500] [ info] [cmetrics] version=1.0.5
[2025/12/15 08:11:09.309260700] [ info] [ctraces ] version=0.6.6
[2025/12/15 08:11:09.309591300] [ info] [input:winevtlog:winevtlog.0] initializing
[2025/12/15 08:11:09.309609500] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2025/12/15 08:11:09.309754000] [debug] [winevtlog:winevtlog.0] created event channels: read=784 write=788
[2025/12/15 08:11:09.309779300] [debug] [input:winevtlog:winevtlog.0] connect to local machine
[2025/12/15 08:11:09.309789700] [debug] [input:winevtlog:winevtlog.0] read limit per cycle is set up as 512.0K
[2025/12/15 08:11:09.310546000] [debug] [stdout:stdout.0] created event channels: read=824 write=828
[2025/12/15 08:11:09.311677200] [ info] [sp] stream processor started
[2025/12/15 08:11:09.311963600] [ info] [output:stdout:stdout.0] worker #0 started
[2025/12/15 08:11:09.312091500] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/12/15 08:11:13.337802800] [debug] [input:winevtlog:winevtlog.0] read 584 bytes from 'System'
[2025/12/15 08:11:14.309786200] [debug] [task] created task=000001ACAB1FE420 id=0 OK
[0] winevtlog.0: [[1765782673.337639300, [2025/12/15 08:11:14.309840800] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
{}], {"ProviderName"=>"Netwaw18", "ProviderGuid"=>"", "Qualifiers"=>16384, "EventID"=>7021, "Version"=>0, "Level"=>4, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x80000000000000", "TimeCreated"=>"2025-12-15 08:11:11 +0100", "EventRecordID"=>48043, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>4, "ThreadID"=>38856, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"", "Message"=>"", "StringInserts"=>["", "000088000100B400000000006D1B0040000000000000000000000000000000000000000000000000000000000B0000000D000000F0F84A819379000042756666616C6F2D41362D3334363000000000000000000000000000000000003A270A00347E3FFE010000000100000007000000000000000000000000000000000000000000000000000000000000000000010005090AB601000100504A0D030204000006000000000000000100000001000000"]}]
[2025/12/15 08:11:14.317163900] [debug] [out flush] cb_destroy coro_id=0
[2025/12/15 08:11:14.317462600] [debug] [task] destroy task=000001ACAB1FE420 (task_id=0)
[2025/12/15 16:11:26.320040400] [debug] [input:winevtlog:winevtlog.0] read 2688 bytes from 'System'
[0] winevtlog.0: [[1765782686.312788400, [2025/12/15 16:11:27.309438800] [debug] [task] created task=000001ACAB1FE9C0 id=0 OK
{}], {"ProviderName"=>"Microsoft-Windows-Kernel-General[2025/12/15 16:11:27.309464000] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
", "ProviderGuid"=>"{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}", "Qualifiers"=>"", "EventID"=>22, "Version"=>0, "Level"=>4, "Task"=>8, "Opcode"=>0, "Keywords"=>"0x8000000000000010", "TimeCreated"=>"2025-12-15 16:11:25 +0900", "EventRecordID"=>48044, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>9172, "ThreadID"=>7084, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"DESKTOP-JLLFF9D\cosmo", "Message"=>"The time zone bias has changed to -540 from -60.", "StringInserts"=>[-540, -60]}]
[1] winevtlog.0: [[1765782686.313656000, {}], {"ProviderName"=>"Microsoft-Windows-Kernel-General", "ProviderGuid"=>"{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}", "Qualifiers"=>"", "EventID"=>24, "Version"=>0, "Level"=>4, "Task"=>11, "Opcode"=>0, "Keywords"=>"0x8000000000000010", "TimeCreated"=>"2025-12-15 16:11:25 +0900", "EventRecordID"=>48045, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>9172, "ThreadID"=>7084, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"DESKTOP-JLLFF9D\cosmo", "Message"=>"The time zone information was refreshed with exit reason 0. Current time zone bias is -540.", "StringInserts"=>[0, -540, 0, 0, 0]}]
[2] winevtlog.0: [[1765782686.317761800, {}], {"ProviderName"=>"Microsoft-Windows-HAL", "ProviderGuid"=>"{63D1E632-95CC-4443-9312-AF927761D52A}", "Qualifiers"=>"", "EventID"=>20, "Version"=>0, "Level"=>2, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2025-12-15 16:11:25 +0900", "EventRecordID"=>48046, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>9172, "ThreadID"=>7084, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"DESKTOP-JLLFF9D\cosmo", "Message"=>"The hardware real-time clock was not queried because evaluation of the ACPI Time and Alarm Device method failed.  Status: 0xC00000BB.", "StringInserts"=>[3221225659]}]
[3] winevtlog.0: [[1765782686.318618100, {}], {"ProviderName"=>"Microsoft-Windows-HAL", "ProviderGuid"=>"{63D1E632-95CC-4443-9312-AF927761D52A}", "Qualifiers"=>"", "EventID"=>21, "Version"=>0, "Level"=>2, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2025-12-15 16:11:25 +0900", "EventRecordID"=>48047, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>9172, "ThreadID"=>7084, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"DESKTOP-JLLFF9D\cosmo", "Message"=>"The hardware real-time clock was not set because evaluation of the ACPI Time and Alarm Device method failed.  Status: 0xC00000BB.", "StringInserts"=>[3221225659]}]
[4] winevtlog.0: [[1765782686.319794500, {}], {"ProviderName"=>"Microsoft-Windows-Kernel-General", "ProviderGuid"=>"{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}", "Qualifiers"=>"", "EventID"=>1, "Version"=>4, "Level"=>4, "Task"=>5, "Opcode"=>0, "Keywords"=>"0x8000000000000010", "TimeCreated"=>"2025-12-15 16:11:25 +0900", "EventRecordID"=>48048, "ActivityID"=>"", "RelatedActivityID"=>"", "ProcessID"=>9172, "ThreadID"=>7084, "Channel"=>"System", "Computer"=>"DESKTOP-JLLFF9D", "UserID"=>"DESKTOP-JLLFF9D\cosmo", "Message"=>"The system time has changed to ΓÇÄ2025ΓÇÄ-ΓÇÄ12ΓÇÄ-ΓÇÄ15T07:11:25.079907500Z from ΓÇÄ2025ΓÇÄ-ΓÇÄ12ΓÇÄ-ΓÇÄ15T07:11:25.079907500Z.
Time Delta: 0 ms

Change Reason: System time adjusted to the new time zone.
Process: '\Device\HarddiskVolume3\Windows\ImmersiveControlPanel\SystemSettings.exe' (PID 9172).

RTC time: ΓÇÄ2025ΓÇÄ-ΓÇÄ12ΓÇÄ-ΓÇÄ15T16:11:25.079907500Z
Current time zone bias: -540
RTC time is in UTC: false
System time was based on RTC time: false", "StringInserts"=>["2025-12-15 16:11:25 +0900", "2025-12-15 16:11:25 +0900", 0, 3, "\Device\HarddiskVolume3\Windows\ImmersiveControlPanel\SystemSettings.exe", 9172, "2025-12-16 01:11:25 +0900", -540, false, false]}]
[2025/12/15 16:11:27.334938100] [debug] [out flush] cb_destroy coro_id=1
[2025/12/15 16:11:27.335082500] [debug] [task] destroy task=000001ACAB1FE9C0 (task_id=0)
[2025/12/15 16:11:40] [engine] caught signal (SIGINT)
[2025/12/15 16:11:41.628990200] [ warn] [engine] service will shutdown in max 5 seconds
[2025/12/15 16:11:41.629042200] [ info] [engine] pausing all inputs..
[2025/12/15 16:11:41.629050900] [ info] [input] pausing winevtlog.0
[2025/12/15 16:11:42.641952600] [ info] [engine] service has stopped (0 pending tasks)
[2025/12/15 16:11:42.641979100] [ info] [input] pausing winevtlog.0
[2025/12/15 16:11:42.642020200] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2025/12/15 16:11:42.642371900] [ info] [output:stdout:stdout.0] thread worker #0 stopped

CET -> JST is also able to handle at runtime.