Windows events (#3246)

* First commit for windows event targets.

I had to add couple of new go modules and hook the windows log in.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Add the ability to save where we are.

* Finished setup tests and comments.

* nits

* adding documentation

* go tidy

* lint windows

* nope

* add manager for non windows

* don't lint forked package

* mod check

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Update pkg/promtail/targets/windows/bookmark.go

Co-authored-by: Owen Diehl <ow.diehl@gmail.com>

* Use passed-in Prometheus registerer.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Apply suggestions from code review

Co-authored-by: Owen Diehl <ow.diehl@gmail.com>

* testing out windows drone.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* type exec.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* docker image.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* go/go.exe

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* build windows on container.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* trying another image.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* typo in image

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Fixed local timezone issue.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Fix tests with timezone.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Fixes timezone tests.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Update logstash since the last image is not working anymore 🤷

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

Co-authored-by: Owen Diehl <ow.diehl@gmail.com>

.drone/drone.jsonnet

@@ -60,6 +60,21 @@ local arch_image(arch, tags='') = {
   }],
 };
 
+local promtail_win() = pipeline('promtail-windows') {
+ platform: {
+    os: 'windows',
+    arch: "amd64",
+    version: "1809",
+  },
+  steps: [{
+    name: 'test',
+    image: 'golang:windowsservercore-1809',
+    commands: [
+      'go test .\\pkg\\promtail\\targets\\windows\\... -v',
+    ],
+  }],
+};
+
 local fluentbit() = pipeline('fluent-bit-amd64') + arch_image('amd64', 'latest,master') {
   steps+: [
     // dry run for everything that is not tag or master
@@ -200,7 +215,7 @@ local manifest(apps) = pipeline('manifest') {
       make('check-generated-files', container=false) { depends_on: ['clone'] },
       make('check-mod', container=false) { depends_on: ['clone', 'test', 'lint'] },
     ],
-  },
+  }
 ] + [
   multiarch_image(arch) + (
     // When we're building Promtail for ARM, we want to use Dockerfile.arm32 to fix
@@ -273,4 +288,4 @@ local manifest(apps) = pipeline('manifest') {
       },
     ],
   },
-]
+] + [promtail_win()]

.drone/drone.yml

@@ -862,4 +862,19 @@ trigger:
 depends_on:
 - manifest
 
+---
+kind: pipeline
+name: promtail-windows
+
+platform:
+  os: windows
+  arch: amd64
+  version: 1809
+
+steps:
+- name: test
+  image: golang:windowsservercore-1809
+  commands:
+  - go test .\pkg\promtail\targets\windows\... -v
+
 ...

.golangci.yml

@@ -24,6 +24,7 @@ run:
   # from this option's value:
   #   	vendor$, third_party$, testdata$, examples$, Godeps$, builtin$
   skip-dirs:
+    - win_eventlog$
   # which files to skip: they will be analyzed, but issues from them
   # won't be reported. Default value is empty list, but there is
   # no need to include all autogenerated files, we confidently recognize

cmd/logstash/Dockerfile

@@ -1,4 +1,4 @@
-FROM logstash:7.6.2
+FROM logstash:7.9.3
 
 USER logstash
 ENV PATH /usr/share/logstash/vendor/jruby/bin:/usr/share/logstash/vendor/bundle/jruby/2.5.0/bin:$PATH

cmd/promtail/promtail-windows.yaml

@@ -0,0 +1,16 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+clients:
+  - url: http://localhost:3100/loki/api/v1/push
+
+scrape_configs:
+- job_name: windows
+  windows_events:
+    use_incoming_timestamp: false
+    bookmark_path: "./bookmark.xml"
+    eventlog_name: "Application"
+    xpath_query: '*'
+    labels:
+      job: windows

docs/sources/clients/promtail/configuration.md

@@ -33,6 +33,7 @@ and how to scrape logs from files.
     - [syslog](#syslog)
       - [Available Labels](#available-labels)
     - [loki_push_api](#loki_push_api)
+    - [windows_events] (#windows_events)
     - [relabel_configs](#relabel_configs)
     - [static_configs](#static_configs)
     - [file_sd_config](#file_sd_config)
@@ -809,6 +810,67 @@ labels:
 
 See [Example Push Config](#example-push-config)
 
+
+### windows_events
+
+The `windows_events` block configures Promtail to scrape windows event logs and send them to Loki.
+
+To subcribe to a specific events stream you need to provide either an `eventlog_name` or an `xpath_query`.
+
+Events are scraped periodically every 3 seconds by default but can be changed using `poll_interval`.
+
+A bookmark path `bookmark_path` is mandatory and will be used as a position file where Promtail will
+keep record of the last event processed. This file persists across promtail restarts.
+
+You can set `use_incoming_timestamp` if you want to keep incomming event timestamps. By default Promtail will use the timestamp when
+the event was read from the event log.
+
+Promtail will serialize JSON windows events, adding `channel` and `computer` labels from the event received.
+You can add additional labels with the `labels` property.
+
+
+```yaml
+# LCID (Locale ID) for event rendering
+# - 1033 to force English language
+# -  0 to use default Windows locale
+[locale: <int> | default = 0]
+
+# Name of eventlog, used only if xpath_query is empty
+# Example: "Application"
+[eventlog_name: <string> | default = ""]
+
+# xpath_query can be in defined short form like "Event/System[EventID=999]"
+# or you can form a XML Query. Refer to the Consuming Events article:
+# https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events
+# XML query is the recommended form, because it is most flexible
+# You can create or debug XML Query by creating Custom View in Windows Event Viewer
+# and then copying resulting XML here
+[xpath_query: <string> | default = "*"]
+
+# Sets the bookmark location on the filesystem.
+# The bookmark contains the current position of the target in XML.
+# When restarting or rolling out promtail, the target will continue to scrape events where it left off based on the bookmark position.
+# The position is updated after each entry processed.
+[bookmark_path: <string> | default = ""]
+
+# PollInterval is the interval at which we're looking if new events are available. By default the target will check every 3seconds.
+[poll_interval: <duration> | default = 3s]
+
+# Allows to exclude the xml event data.
+[exclude_event_data: <bool> | default = false]
+
+# Allows to exclude the user data of each windows event.
+[exclude_event_data: <bool> | default = false]
+
+# Label map to add to every log line sent to the push API
+labels:
+  [ <labelname>: <labelvalue> ... ]
+
+# If promtail should pass on the timestamp from the incoming log or not.
+# When false promtail will assign the current timestamp to the log when it was processed
+[use_incoming_timestamp: <bool> | default = false]
+```
+
 ### relabel_configs
 
 Relabeling is a powerful tool to dynamically rewrite the label set of a target

docs/sources/clients/promtail/scraping.md

@@ -154,6 +154,36 @@ Keep in mind that labels prefixed with `__` will be dropped, so relabeling is re
     target_label: syslog_identifier
 ```
 
+## Windows Event Log
+
+On Windows Promtail supports reading from the event log.
+Windows event targets can be configured using the `windows_events` stanza:
+
+
+```yaml
+scrape_configs:
+- job_name: windows
+  windows_events:
+    use_incoming_timestamp: false
+    bookmark_path: "./bookmark.xml"
+    eventlog_name: "Application"
+    xpath_query: '*'
+    labels:
+      job: windows
+  relabel_configs:
+    - source_labels: ['computer']
+      target_label: 'host'
+```
+
+When Promtail receives an event it will attach the `channel` and `computer` labels
+and serialize the event in json.
+You can relabel default labels via [Relabeling](#relabeling) if required.
+
+Providing a path to a bookmark is mandatory, it will be used to persist the last event processed and allow
+resuming the target without skipping logs.
+
+see the [configuration](./configuration#windows_event) section for more information.
+
 ## Gcplog scraping
 Promtail supports scraping cloud resource logs(say GCS bucket logs, Load Balancer logs, Kubernetes Cluster logs) from GCP.
 Configs are set in `gcplog` section in `scrape_config`
@@ -296,5 +326,5 @@ clients:
   - [ <client_option> ]
 ```
 
-Refer to [`client_config`](../configuration#client_config) from the Promtail
+Refer to [`client_config`](./configuration#client_config) from the Promtail
 Configuration reference for all available options.

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/hpcloud/tail v1.0.0
 	github.com/imdario/mergo v0.3.9
 	github.com/influxdata/go-syslog/v3 v3.0.1-0.20200510134747-836dce2cf6da
+	github.com/influxdata/telegraf v1.16.3
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/joncrlsn/dque v2.2.1-0.20200515025108-956d14155fa2+incompatible
 	github.com/json-iterator/go v1.1.10
@@ -52,6 +53,7 @@ require (
 	github.com/segmentio/fasthash v1.0.2
 	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
 	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
+	github.com/spf13/afero v1.2.2
 	github.com/stretchr/testify v1.6.1
 	github.com/tonistiigi/fifo v0.0.0-20190226154929-a9fb20d87448
 	github.com/uber/jaeger-client-go v2.25.0+incompatible
@@ -61,6 +63,7 @@ require (
 	go.uber.org/atomic v1.7.0
 	golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9
 	golang.org/x/net v0.0.0-20201224014010-6772e930b67b
+	golang.org/x/sys v0.0.0-20201223074533-0d417f636930
 	google.golang.org/api v0.36.0
 	google.golang.org/grpc v1.33.2
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
@@ -79,6 +82,8 @@ replace k8s.io/client-go => k8s.io/client-go v0.19.4
 
 replace k8s.io/api => k8s.io/api v0.19.4
 
+replace github.com/hashicorp/consul => github.com/hashicorp/consul v1.5.1
+
 // >v1.2.0 has some conflict with prometheus/alertmanager. Hence prevent the upgrade till it's fixed.
 replace github.com/satori/go.uuid => github.com/satori/go.uuid v1.2.0