Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugins: in_winevtlog: adds ability to ignore channels missing in Windows Event Log #6176

Merged
merged 4 commits into from
Oct 15, 2022
Merged

plugins: in_winevtlog: adds ability to ignore channels missing in Windows Event Log #6176

merged 4 commits into from
Oct 15, 2022

Conversation

c0d3fau1t
Copy link
Contributor

@c0d3fau1t c0d3fau1t commented Oct 10, 2022
edited
Loading

Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log
ex: PowerShellCore/Operational needs the proper software installed to
appear under Application and Services Log

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • [N/A ] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

Documentation

  • Documentation required for this feature

Added information in comments

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@c0d3fau1t
Copy link
Contributor Author

Follows an example of the configuration file for the plugin.
The entry ignore_missing_channels defaults to false. In this scenario the plugin behaves as it currently does, hence it stops immediately when it fails to register to one of the channels.
When ignore_missing_channels is set to true a failure to register to one or more channels does not stops the plugin from starting as long as the resulting list of registered channels is not empty.

[INPUT]
    Name                     winevtlog
    Channels                Application,Security,System,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-AppLocker/EXE and DLL,Microsoft-Windows-AppLocker/Packaged app-Execution,Microsoft-Windows-AppLocker/Packaged app-Deployment,Microsoft-Windows-TerminalServices-RDPClient/Operational,Microsoft-Windows-SmartCard-Audit/Authentication,Microsoft-Windows-SMBClient/Operational,Microsoft-Windows-Windows Defender/Operational
    Interval_Sec             1
    String_Inserts           false
    Read_Existing_Events     false
    Render_Event_As_XML      true
    ignore_missing_channels  true
    db                    evt.db

@c0d3fau1t
Copy link
Contributor Author

Follows an example of operation when a channel (BogusChannel) is present in the list of channels to register to. The plugin correctly throws an error indicating it could not subscribe to channel BogusChannel but continues with the other channels it was able to subscribe to.

[2022/10/10 19:55:40] [ info] [fluent bit] version=1.9.9, commit=, pid=31480
[2022/10/10 19:55:40] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2022/10/10 19:55:40] [ info] [storage] version=1.3.0, type=memory-only, sync=normal, checksum=disabled, max_chunks_up=128
[2022/10/10 19:55:40] [ info] [cmetrics] version=0.3.7
[2022/10/10 19:55:40] [debug] [winevtlog:winevtlog.0] created event channels: read=936 write=940
[2022/10/10 19:55:40] [error] [in_winevtlog] cannot subscribe 'BogusChannel' (0)
[2022/10/10 19:55:40] [debug] [stdout:stdout.0] created event channels: read=1204 write=1208
[2022/10/10 19:55:40] [debug] [router] match rule winevtlog.0:stdout.0
[2022/10/10 19:55:40] [ info] [sp] stream processor started
[2022/10/10 19:55:40] [ info] [output:stdout:stdout.0] worker #0 started
[2022/10/10 19:55:41] [debug] [input:winevtlog:winevtlog.0] read 4108 bytes from 'Microsoft-Windows-AppLocker/EXE and DLL'
[2022/10/10 19:55:41] [debug] [input chunk] update output instances with new chunk size diff=2159
[2022/10/10 19:55:48] [debug] [input:winevtlog:winevtlog.0] read 13956 bytes from 'Security'
[2022/10/10 19:55:48] [debug] [input chunk] update output instances with new chunk size diff=9858
[2022/10/10 19:55:48] [debug] [input:winevtlog:winevtlog.0] read 1722 bytes from 'Microsoft-Windows-TaskScheduler/Operational'
[2022/10/10 19:55:48] [debug] [input chunk] update output instances with new chunk size diff=997
[2022/10/10 19:55:51] [debug] [task] created task=011A7A98 id=0 OK
[2022/10/10 19:55:51] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2022/10/10 19:55:51] [ warn] [engine] service will shutdown in max 5 seconds
[2022/10/10 19:55:51] [debug] [out flush] cb_destroy coro_id=0
[2022/10/10 19:55:51] [debug] [task] destroy task=011A7A98 (task_id=0)
[2022/10/10 19:55:51] [ info] [engine] service has stopped (0 pending tasks)
[2022/10/10 19:55:52] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2022/10/10 19:55:52] [ info] [output:stdout:stdout.0] thread worker #0 stopped

@c0d3fau1t c0d3fau1t changed the title Additions to in_winevtlog plugin to allow scenarios where one or more plugins: in_winevtlog: adds ability to ignore channels missing in Windows Event Log Oct 11, 2022
cosmo0920
cosmo0920 requested changes Oct 11, 2022
View reviewed changes
plugins/in_winevtlog/in_winevtlog.c Outdated Show resolved Hide resolved
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 11, 2022 13:10 Inactive
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 11, 2022 13:10 Inactive
@edsiper
Copy link
Member

edsiper commented Oct 11, 2022

please sign off your commits (DCO error), you can do with at commit time with git commit -s -m ....

@c0d3fau1t c0d3fau1t temporarily deployed to pr October 11, 2022 13:26 Inactive
@c0d3fau1t c0d3fau1t force-pushed the winevtlog_patch branch 4 times, most recently from 07197c3 to a1d8fb5 Compare October 11, 2022 21:24
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 12, 2022 06:04 Inactive
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 12, 2022 06:04 Inactive
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 12, 2022 06:19 Inactive
@cosmo0920
Copy link
Contributor

Could you rebase off the current master? Some of commits seem to be contaminated.

@c0d3fau1t
Copy link
Contributor Author

Could you rebase off the current master? Some of commits seem to be contaminated.

Will dig into that, Github and shared repositories are new to me.

Meissner Morales and others added 3 commits October 12, 2022 16:15
@c0d3fau1t
Additions to in_winevtlog plugin to allow scenarios where one or more
ede37f2 
channels are missing on Windows Event Log
ex: PowerShellCore/Operational needs the proper software installed to
    appear under Application and Services Log

Signed-off-by: Meissner Morales <mmblanco@outlook.com>
@c0d3fau1t
Updated ignore_missing_channels description
5b24195 
Signed-off-by: Meissner Morales <mmblanco@outlook.com>
@c0d3fau1t
Updated ignore_missing_channels in flb_config_map
6dfecdb 
Signed-off-by: Meissner Morales <mmblanco@outlook.com>
@c0d3fau1t
Adds debug message when channel does not exist
38e78a8 
Signed-off-by: Meissner Morales <mmblanco@outlook.com>
@c0d3fau1t c0d3fau1t requested review from cosmo0920 and removed request for niedbalski and patrick-stephens October 12, 2022 21:46
@c0d3fau1t
Copy link
Contributor Author

Debug level message was added:

[2022/10/12 16:58:28] [ info] [fluent bit] version=1.9.9, commit=, pid=25436
[2022/10/12 16:58:28] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2022/10/12 16:58:28] [ info] [storage] version=1.3.0, type=memory-only, sync=normal, checksum=disabled, max_chunks_up=128
[2022/10/12 16:58:28] [ info] [cmetrics] version=0.3.7
[2022/10/12 16:58:28] [debug] [winevtlog:winevtlog.0] created event channels: read=968 write=972
[2022/10/12 16:58:28] [error] [in_winevtlog] cannot subscribe 'BogusChannel' (0)
[2022/10/12 16:58:28] [debug] [in_winevtlog] channel 'BogusChannel' does not exist
[2022/10/12 16:58:28] [debug] [stdout:stdout.0] created event channels: read=1208 write=1212
[2022/10/12 16:58:28] [debug] [router] match rule winevtlog.0:stdout.0
[2022/10/12 16:58:28] [ info] [sp] stream processor started
[2022/10/12 16:58:28] [ info] [output:stdout:stdout.0] worker #0 started
[2022/10/12 16:58:29] [debug] [input:winevtlog:winevtlog.0] read 81334 bytes from 'Security'
[2022/10/12 16:58:29] [debug] [input chunk] update output instances with new chunk size diff=60481
[2022/10/12 16:58:29] [debug] [input:winevtlog:winevtlog.0] read 4112 bytes from 'Microsoft-Windows-AppLocker/EXE and DLL'
[2022/10/12 16:58:29] [debug] [input chunk] update output instances with new chunk size diff=2162
[2022/10/12 16:58:31] [debug] [input:winevtlog:winevtlog.0] read 2430 bytes from 'Security'
[2022/10/12 16:58:31] [debug] [input chunk] update output instances with new chunk size diff=1634
[2022/10/12 16:58:38] [debug] [task] created task=00EA8DF0 id=0 OK
[2022/10/12 16:58:38] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2022/10/12 16:58:38] [ warn] [engine] service will shutdown in max 5 seconds
[2022/10/12 16:58:38] [debug] [out flush] cb_destroy coro_id=0
[2022/10/12 16:58:38] [debug] [task] destroy task=00EA8DF0 (task_id=0)
[2022/10/12 16:58:39] [ info] [engine] service has stopped (0 pending tasks)
[2022/10/12 16:58:39] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2022/10/12 16:58:39] [ info] [output:stdout:stdout.0] thread worker #0 stopped

@c0d3fau1t c0d3fau1t temporarily deployed to pr October 13, 2022 12:34 Inactive
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 13, 2022 12:34 Inactive
@c0d3fau1t c0d3fau1t temporarily deployed to pr October 13, 2022 12:49 Inactive
cosmo0920
cosmo0920 reviewed Oct 14, 2022
View reviewed changes
Copy link
Contributor

@cosmo0920 cosmo0920 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I'd confirmed that subscribing on non-existent channels does not cause fluent-bit termination. 👍

@edsiper edsiper merged commit ac450eb into fluent:master Oct 15, 2022
@edsiper
Copy link
Member

edsiper commented Oct 15, 2022

thanks

@c0d3fau1t
Copy link
Contributor Author

Thanks!

mgeriesa pushed a commit to mgeriesa/fluent-bit that referenced this pull request Oct 25, 2022
@c0d3fau1t @mgeriesa
in_winevtlog: adds ability to ignore channels missing in Windows Even…
d0ac055 
…t Log (fluent#6176)

* Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log, e.g:

PowerShellCore/Operational needs the proper software installed to  appear under Application and Services Log

Signed-off-by: Meissner Morales <mmblanco@outlook.com>
Signed-off-by: Manal Geries <mgeriesa@gmail.com>
sumitd2 pushed a commit to sumitd2/fluent-bit that referenced this pull request Feb 8, 2023
@c0d3fau1t
in_winevtlog: adds ability to ignore channels missing in Windows Even…
ecaef64 
…t Log (fluent#6176)

* Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log, e.g:

PowerShellCore/Operational needs the proper software installed to  appear under Application and Services Log

Signed-off-by: Meissner Morales <mmblanco@outlook.com>
Signed-off-by: root <root@sumit-acs.novalocal>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cosmo0920 cosmo0920 cosmo0920 approved these changes

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@c0d3fau1t @edsiper @cosmo0920