LOG-13046-agent-add-support-for-windows-event-logs (logdna#422)

- create new Tailer source - spawn winevt-tailer as child process (https://github.com/logdna/winevt-tailer). - receive JSON log lines from the tailer stdout - send log lines to Mezmo using standard agent LineBuilder stream infra - parameterize the tailer source in agent configuration file using new params: log.tailer_cmd, log.tailer_args Testing: - check that entries from Windows Event logs (System, Application) are correctly sent, parsed and presented in Mezmo Web UI front-end Notes: - early tailer errors and stack traces go into agent log. any non-recoverable tailer process error is fatal - causes agent to exit (and windows service to restart). - packaging includes released winevt-tailer exe into agent MSI alone with the tailer configuration appended to agent config file (yaml). - install: previous existing conf is now gets saved with timestamp suffix in name, agent uses bundled config to be fully functional. - install: if ingestion key provided during MSI or Choco install then agent config get updated with it - documentation is WIP Ref: LOG-13046 Ref: LOG-14553 Ref: LOG-14644
KeerthanaAP · Feb 9, 2023 · da31c1a · da31c1a
1 parent 1efb3e6
commit da31c1a
Show file tree

Hide file tree

Showing 22 changed files with 660 additions and 110 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,6 +10,7 @@ members = [
     "common/journald",
     "common/state",
     "common/notify_stream",
+    "api",
     "utils/metrics-recorder",
 ]
 

diff --git a/api/Cargo.toml b/api/Cargo.toml
@@ -0,0 +1,36 @@
+[package]
+name = "api"
+version = "0.1.0"
+authors = ["dkhokhlov <dkhokhlov@gmail.com>"]
+edition = "2018"
+
+[dependencies]
+http = { package = "http", path = "../common/http" }
+
+tokio = { package = "tokio", version = "1", features = ["macros", "process", "rt-multi-thread", "time"] }
+futures = "0.3"
+log = "0.4"
+time = "0.3"
+tracing = "0.1"
+
+# tailer
+combine = { package = "combine", version = "4" }
+bytes = { package = "bytes", version = "1" }
+tokio_util = { package = "tokio-util", version = "0.7", features = ["codec"] }
+
+# tests
+serial_test = { version = "0.8", optional = true }
+
+[target.'cfg(any(windows))'.dependencies]
+win32job = { package = "win32job", version = "1" }
+
+[dev-dependencies]
+env_logger = "0.9"
+partial_io = { package = "partial-io", version = "0.5", features = ["tokio1"]}
+tokio-test = "0.4"
+tracing-test = "0.2"
+
+[features]
+default = []
+tailer = []
+
diff --git a/api/src/lib.rs b/api/src/lib.rs
@@ -0,0 +1 @@
+pub mod tailer;
diff --git a/api/src/tailer/error.rs b/api/src/tailer/error.rs
@@ -0,0 +1,23 @@
+use std::fmt::{self, Display, Formatter};
+
+#[allow(dead_code)] // TODO
+#[derive(Debug)]
+pub enum TailerError {
+    InvalidJSON(String),
+}
+
+impl Display for TailerError {
+    fn fmt(&self, f: &mut Formatter) -> Result<(), fmt::Error> {
+        match self {
+            TailerError::InvalidJSON(error) => {
+                write!(f, "Invalid JSON: {}", error)
+            }
+        }
+    }
+}
+
+#[test]
+fn test_root_lvl_find_valid_path() {
+    let ex = TailerError::InvalidJSON("abc".into());
+    assert!(ex.to_string().contains("Invalid JSON:"))
+}