From ac450eb805fadf0e715d390b1e0d13999d1a4bae Mon Sep 17 00:00:00 2001 From: c0d3fau1t <115506119+c0d3fau1t@users.noreply.github.com> Date: Sat, 15 Oct 2022 14:33:26 -0400 Subject: [PATCH] in_winevtlog: adds ability to ignore channels missing in Windows Event Log (#6176) * Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log, e.g: PowerShellCore/Operational needs the proper software installed to appear under Application and Services Log Signed-off-by: Meissner Morales --- plugins/in_winevtlog/in_winevtlog.c | 7 ++++++- plugins/in_winevtlog/winevtlog.c | 28 ++++++++++++++++++++++------ plugins/in_winevtlog/winevtlog.h | 3 ++- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/plugins/in_winevtlog/in_winevtlog.c b/plugins/in_winevtlog/in_winevtlog.c index 476a114d18a..f30a9a3a63d 100644 --- a/plugins/in_winevtlog/in_winevtlog.c +++ b/plugins/in_winevtlog/in_winevtlog.c @@ -68,7 +68,7 @@ static int in_winevtlog_init(struct flb_input_instance *in, tmp = "Application"; } - ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events); + ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events, ctx->ignore_missing_channels); if (!ctx->active_channel) { flb_plg_error(ctx->ins, "failed to open channels"); flb_free(ctx); @@ -238,6 +238,11 @@ static struct flb_config_map config_map[] = { 0, FLB_TRUE, offsetof(struct winevtlog_config, use_ansi), "Use ANSI encoding on eventlog messages" }, + { + FLB_CONFIG_MAP_BOOL, "ignore_missing_channels", "false", + 0, FLB_TRUE, offsetof(struct winevtlog_config, ignore_missing_channels), + "Whether to ignore channels missing in eventlog" + }, /* EOF */ {0} diff --git a/plugins/in_winevtlog/winevtlog.c b/plugins/in_winevtlog/winevtlog.c index f2c4a65ad60..e54551713ab 100644 --- a/plugins/in_winevtlog/winevtlog.c +++ b/plugins/in_winevtlog/winevtlog.c @@ -587,7 +587,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck, struct * * "channels" are comma-separated names like "Setup,Security". */ -struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events) +struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events, int ignore_missing_channels) { char *tmp; char *channel; @@ -612,14 +612,30 @@ struct mk_list *winevtlog_open_all(const char *channels, int read_existing_event channel = strtok_s(tmp , ",", &state); while (channel) { ch = winevtlog_subscribe(channel, read_existing_events, NULL); - if (!ch) { - flb_free(tmp); - winevtlog_close_all(list); - return NULL; + if (ignore_missing_channels) { + if (ch) { + mk_list_add(&ch->_head, list); + } + else { + flb_debug("[in_winevtlog] channel '%s' does not exist", channel); + } + } + else { + if (!ch) { + flb_free(tmp); + winevtlog_close_all(list); + return NULL; + } } - mk_list_add(&ch->_head, list); channel = strtok_s(NULL, ",", &state); } + + if (mk_list_size(list) == 0) { + flb_free(tmp); + winevtlog_close_all(list); + return NULL; + } + flb_free(tmp); return list; } diff --git a/plugins/in_winevtlog/winevtlog.h b/plugins/in_winevtlog/winevtlog.h index d5db6eb1e09..14aaff72ac1 100644 --- a/plugins/in_winevtlog/winevtlog.h +++ b/plugins/in_winevtlog/winevtlog.h @@ -31,6 +31,7 @@ struct winevtlog_config { int read_existing_events; int render_event_as_xml; int use_ansi; + int ignore_missing_channels; struct mk_list *active_channel; struct flb_sqldb *db; @@ -80,7 +81,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck, * * "channels" are comma-separated names like "Setup,Security". */ -struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events); +struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events, int ignore_missing_channels); void winevtlog_close_all(struct mk_list *list); void winevtlog_pack_xml_event(msgpack_packer *mp_pck, WCHAR *system_xml, WCHAR *message,