Skip to content

Windows eventlog input plugin (based on #7020)#8000

Merged
ssoroka merged 13 commits intoinfluxdata:masterfrom
simnv:win_eventlog
Sep 28, 2020
Merged

Windows eventlog input plugin (based on #7020)#8000
ssoroka merged 13 commits intoinfluxdata:masterfrom
simnv:win_eventlog

Conversation

@simnv
Copy link
Copy Markdown
Contributor

@simnv simnv commented Aug 18, 2020
edited
Loading

  • Signed CLA.
  • Associated README.md updated.
  • Has appropriate unit tests.

Got win_eventlog pull request #7020 from @anuar45 for feature #4525 and went further (keeping his commits in this PR too):

  1. Keywords are converted from hex uint64 to text, and added as tag
  2. Event Data values are added by its names from Name attributes
  3. Additional tags and fields:
    computer, version, task, opcode, activity_id, user_id, process_id,
    process_name, thread_id
  4. user_id, activity_id, opcode are added only if not empty
  5. process_name is derived from pid
  6. Non-default Locale setting for converting Keywords to Text
  7. Updated documentation

anuar45 and others added 8 commits June 4, 2020 23:37
@anuar45
winevent_log plugin draft
dfb374f
@anuar45
winevent_log plugin draft added to all
a0c63f1
@anuar45
use of event rendering buffer
572979e
@anuar45
join event data messages using spaces
7588d25
@anuar45
parse channel name from event
0e7d867
@anuar45
documentation updated for xml query
cd11c03
@simnv
Merge remote-tracking branch 'simnv/master' into win_eventlog-input-p…
76394fc 
…lugin
@simnv
Reworked field rendering, added Locale support
6b721ad 
1. Keywords are converted from hex uint64 to text, and added as tag
2. Additional tags and fields:
computer, version, task, opcode, activity_id, user_id, process_id,
process_name, thread_id
3. user_id, activity_id, opcode are added only if not empty
4. process_name is derived from pid
5. Event Data values are added by its names from Name attributes
6. Non-default Locale setting for converting Keywords to Text
7. Updated documentation
This was referenced Aug 18, 2020
Closed
Closed
Closed
@simnv
Copy link
Copy Markdown
Contributor Author

simnv commented Aug 21, 2020
edited
Loading

Some ideas in library used in #7989 were very interesting, so I've changed code of this plugin a bit:

  1. Full list of System fields, also Level, Task and Opcode are rendered to text with given locale
  2. Message is rendered with given locale, also you can get only first line of Message
  3. Username is rendered from UserID SID
  4. Event fields filtering: you can now select which fields to use as tags, which fields to exclude, and which fields to exclude only if they are empty
  5. Globbing is supported for all those filters
  6. Added some tests for filtering logic
  7. UserData and EventData processing is now optional, also xml field naming changed a bit
  8. XML Field names Separator is now configurable

simnv added 3 commits August 21, 2020 14:37
@simnv
Expanded rendering and filtering
21940b9 
1. Full list of System fields, also Level, Task and Opcode are rendered to text with given local
2. Message is rendered with given locale, also you can get only first line of Message
3. Username is rendered from UserID SID
4. Event fields filtering: you can now select which fields to use as tags, which fields to exclude, and which fields to exclude only if they are empty
5. Globbing is supported for all those filters
6. Added some tests for filtering logic
7. UserData and EventData processing is now optional, also xml field naming changed a bit
8. XML Field names Separator is now configurable
9. Some small fixes for typos
@simnv
Fixed typos
31dd1a8
@simnv
Remove duplicate ProcessName lookup
801f483
@reimda
Copy link
Copy Markdown
Contributor

reimda commented Sep 2, 2020

Thanks @simnv for the PR! Simnv is available on the InfluxDB community slack if we have questions about this PR.

@sjwang90 sjwang90 added this to the 1.16.0 milestone Sep 9, 2020
p-zak
p-zak reviewed Sep 22, 2020
View reviewed changes
@simnv
Add more error handling, remove unused constants, fix variable name
5123301 
1. If evtSubscribe fails, return error instead of continuing
   to try with empty handle.
2. Check xml.Unmarshal for err, also add more error handling in tests.
3. Fix utf16 variable name that collided with imported package name.
4. Remove unused consts EvtRenderEventValues, EvtFormatMessageChannel,
   EvtFormatMessageProvider, EvtFormatMessageId and EvtFormatMessageXml
@simnv
Fix formatting
5620a17
@simnv
Copy link
Copy Markdown
Contributor Author

simnv commented Sep 23, 2020

@p-zak Thank you for the review!

I think I've addressed all of your notes in a new commits. Ready to discuss more. :)

p-zak
p-zak reviewed Sep 23, 2020
View reviewed changes
@p-zak
Copy link
Copy Markdown
Collaborator

p-zak commented Sep 23, 2020

@simnv I think you can resolve all previous issues - LGTM :)

@ssoroka ssoroka merged commit 57cd20a into influxdata:master Sep 28, 2020
@ssoroka ssoroka mentioned this pull request Sep 28, 2020
Closed
@p-zak p-zak mentioned this pull request Oct 6, 2020
Merged
@sjwang90 sjwang90 added the area/windows Related to windows plugins (win_eventlog, win_perf_counters, win_services) label Dec 1, 2020
@simnv simnv deleted the win_eventlog branch August 11, 2021 20:10
arstercz pushed a commit to arstercz/telegraf that referenced this pull request Mar 5, 2023
@simnv @anuar45
Windows eventlog input plugin (based on influxdata#7020) (influxdata#…
a4852b2 
…8000)

Co-authored-by: Anuar Serdaliyev <serdaliyev.anuar@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@p-zak p-zak p-zak left review comments

@ssoroka ssoroka ssoroka approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/windows Related to windows plugins (win_eventlog, win_perf_counters, win_services) new plugin platform/windows

Projects

None yet

Milestone

1.16.0

Development

Successfully merging this pull request may close these issues.

6 participants

@simnv @reimda @p-zak @ssoroka @sjwang90 @anuar45