From 3b33a0f2232aa18aadbf1f017a245b2626c1e542 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Mon, 25 Sep 2023 17:56:48 -0400
Subject: [PATCH 01/10] add legacy_mode to init_config

---
 win32_event_log/assets/configuration/spec.yaml      | 13 +++++++++++++
 .../datadog_checks/win32_event_log/check.py         |  6 +++++-
 .../win32_event_log/config_models/defaults.py       |  4 ++++
 .../win32_event_log/config_models/shared.py         |  1 +
 .../win32_event_log/data/conf.yaml.example          | 10 ++++++++++
 5 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/win32_event_log/assets/configuration/spec.yaml b/win32_event_log/assets/configuration/spec.yaml
index 180495950af89..d190a36cb16c5 100644
--- a/win32_event_log/assets/configuration/spec.yaml
+++ b/win32_event_log/assets/configuration/spec.yaml
@@ -45,6 +45,19 @@ files:
       value:
         type: string
         example: normal
+    - name: legacy_mode
+      description: |
+        Whether or not to use a mode of operation that is now unmaintained and will be removed in a future version.
+
+          /\ WARNING /\
+          This mode, by nature of the underlying technology, is significantly more resource intensive.
+
+        Setting this option to `false` is only supported on Agent versions 7 and above.
+      enabled: true
+      value:
+        type: boolean
+        display_default: true
+        example: false
     - template: init_config/default
   - template: instances
     overrides:
diff --git a/win32_event_log/datadog_checks/win32_event_log/check.py b/win32_event_log/datadog_checks/win32_event_log/check.py
index a7c00dff1903d..ffb559a1526f9 100644
--- a/win32_event_log/datadog_checks/win32_event_log/check.py
+++ b/win32_event_log/datadog_checks/win32_event_log/check.py
@@ -69,7 +69,11 @@ class Win32EventLogCheck(AgentCheck, ConfigMixin):
     def __new__(cls, name, init_config, instances):
         instance = instances[0]
 
-        if PY2 or is_affirmative(instance.get('legacy_mode', True)):
+        # default to legacy mode for configuration backwards compatibility
+        init_config_legacy_mode = is_affirmative(init_config.get('legacy_mode', True))
+        # If legacy_mode is unset for an instance, default to the init_config option
+        instance_legacy_mode = is_affirmative(instance.get('legacy_mode', init_config_legacy_mode))
+        if PY2 or instance_legacy_mode:
             return Win32EventLogWMI(name, init_config, instances)
         else:
             return super(Win32EventLogCheck, cls).__new__(cls)
diff --git a/win32_event_log/datadog_checks/win32_event_log/config_models/defaults.py b/win32_event_log/datadog_checks/win32_event_log/config_models/defaults.py
index cffa4f204d77b..e281c388aff10 100644
--- a/win32_event_log/datadog_checks/win32_event_log/config_models/defaults.py
+++ b/win32_event_log/datadog_checks/win32_event_log/config_models/defaults.py
@@ -20,6 +20,10 @@ def shared_interpret_messages():
     return True
 
 
+def shared_legacy_mode():
+    return True
+
+
 def shared_tag_event_id():
     return False
 
diff --git a/win32_event_log/datadog_checks/win32_event_log/config_models/shared.py b/win32_event_log/datadog_checks/win32_event_log/config_models/shared.py
index b478ae61c105a..b6f18129f0b55 100644
--- a/win32_event_log/datadog_checks/win32_event_log/config_models/shared.py
+++ b/win32_event_log/datadog_checks/win32_event_log/config_models/shared.py
@@ -29,6 +29,7 @@ class SharedConfig(BaseModel):
     default_event_priority: Optional[str] = None
     event_priority: Optional[Literal['normal', 'low']] = None
     interpret_messages: Optional[bool] = None
+    legacy_mode: Optional[bool] = None
     service: Optional[str] = None
     tag_event_id: Optional[bool] = None
     tag_sid: Optional[bool] = None
diff --git a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
index 5ef40767a2157..5026a095ed074 100644
--- a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
+++ b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
@@ -36,6 +36,16 @@ init_config:
     #
     # default_event_priority: normal
 
+    ## @param legacy_mode - boolean - optional - default: true
+    ## Whether or not to use a mode of operation that is now unmaintained and will be removed in a future version.
+    ##
+    ##   /\ WARNING /\
+    ##   This mode, by nature of the underlying technology, is significantly more resource intensive.
+    ##
+    ## Setting this option to `false` is only supported on Agent versions 7 and above.
+    #
+    legacy_mode: false
+
     ## @param service - string - optional
     ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration.
     ##

From b5a0eb3ff74b5ea70f9c86ca546bc5fab2f72c31 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Mon, 25 Sep 2023 18:24:48 -0400
Subject: [PATCH 02/10] disable legacy_mode instance option in config example

---
 win32_event_log/assets/configuration/spec.yaml                  | 1 -
 .../datadog_checks/win32_event_log/data/conf.yaml.example       | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/win32_event_log/assets/configuration/spec.yaml b/win32_event_log/assets/configuration/spec.yaml
index d190a36cb16c5..fb2b0f7bc12b9 100644
--- a/win32_event_log/assets/configuration/spec.yaml
+++ b/win32_event_log/assets/configuration/spec.yaml
@@ -300,7 +300,6 @@ files:
           This mode, by nature of the underlying technology, is significantly more resource intensive.
 
         Setting this option to `false` is only supported on Agent versions 7 and above.
-      enabled: true
       value:
         type: boolean
         display_default: true
diff --git a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
index 5026a095ed074..efd4e684d7a5c 100644
--- a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
+++ b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
@@ -250,7 +250,7 @@ instances:
     ##
     ## Setting this option to `false` is only supported on Agent versions 7 and above.
     #
-    legacy_mode: false
+    # legacy_mode: false
 
     ## @param host - string - optional - default: localhost
     ## By default, the local machine's event logs are captured. To capture a remote

From 28aafaae72240e75e5c4a279727821a4c12cdf5d Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Mon, 25 Sep 2023 19:07:23 -0400
Subject: [PATCH 03/10] add test

---
 .../tests/legacy/test_win32_integration.py    | 47 +++++++++++++++++++
 win32_event_log/tests/test_config.py          |  1 +
 2 files changed, 48 insertions(+)

diff --git a/win32_event_log/tests/legacy/test_win32_integration.py b/win32_event_log/tests/legacy/test_win32_integration.py
index a55abf71c1a63..88c4a90889787 100644
--- a/win32_event_log/tests/legacy/test_win32_integration.py
+++ b/win32_event_log/tests/legacy/test_win32_integration.py
@@ -4,8 +4,11 @@
 import platform
 
 import pytest
+from six import PY2
 
 from datadog_checks.win32_event_log import Win32EventLogCheck
+from datadog_checks.win32_event_log.legacy import Win32EventLogWMI
+
 
 from . import common
 
@@ -24,3 +27,47 @@ def test_deprecation_notice(dd_run_check):
         'This version of the check is deprecated and will be removed in a future release. '
         'Set `legacy_mode` to `false` and read about the latest options, such as `query`.'
     ) in check.get_warnings()
+
+@pytest.mark.parametrize('shared_legacy_mode', [None, False, True])
+@pytest.mark.parametrize('instance_legacy_mode', [None, False, True])
+def test_legacy_mode_select(new_check, shared_legacy_mode, instance_legacy_mode):
+    instance = {}
+    init_config = None
+
+    if shared_legacy_mode is not None:
+        init_config = {'legacy_mode': shared_legacy_mode}
+    if instance_legacy_mode is not None:
+        instance['legacy_mode'] = instance_legacy_mode
+
+    check = new_check(instance, init_config=init_config)
+
+    # if python2 should alawys choose legacy mode
+    if PY2:
+        assert type(check) is Win32EventLogWMI
+        return
+
+    # if instance option is set it should take precedence
+    if instance_legacy_mode:
+        assert type(check) is Win32EventLogWMI
+        return
+    elif instance_legacy_mode is False:
+        assert type(check) is Win32EventLogCheck
+        return
+
+    # instance option is unset
+    assert instance_legacy_mode is None
+
+    # shared/init_config option should apply now
+    if shared_legacy_mode:
+        assert type(check) is Win32EventLogWMI
+        return
+    elif shared_legacy_mode is False:
+        assert type(check) is Win32EventLogCheck
+        return
+
+    # shared/init_config option is unset
+    assert shared_legacy_mode is None
+
+    # should default to true for backwards compatibility
+    assert type(check) is Win32EventLogWMI
+
diff --git a/win32_event_log/tests/test_config.py b/win32_event_log/tests/test_config.py
index 781fe50c2faaa..52c66e5dc0b62 100644
--- a/win32_event_log/tests/test_config.py
+++ b/win32_event_log/tests/test_config.py
@@ -16,3 +16,4 @@ def test_invalid_message_filter_regular_expression(dd_run_check, new_check, inst
         match='Error compiling pattern for option `{}`: invalid group reference 1 at position 1'.format(option),
     ):
         dd_run_check(check)
+

From 2cc5b2cc2ce812cba018b0cfa2bb4e670c89a0a6 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Mon, 25 Sep 2023 19:45:06 -0400
Subject: [PATCH 04/10] update README

---
 win32_event_log/README.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/win32_event_log/README.md b/win32_event_log/README.md
index 6a7572630d315..d4de88f901f80 100644
--- a/win32_event_log/README.md
+++ b/win32_event_log/README.md
@@ -96,6 +96,20 @@ To collect Windows Event Logs as Datadog events, configure channels under the `i
       filters: {}
   ```
 
+Agent versions 7.49 or later support setting `legacy_mode` in the shared `init_config` section. This sets the default for all instances and `legacy_mode` no longer needs to be set individually for each instance. The option can still be set on a per-instance basis.
+
+  ```yaml
+  init_config:
+      legacy_mode: false
+  instances:
+    - # Event Log API
+      path: Security
+      filters: {}
+
+    - path: "<CHANNEL_2>"
+      filters: {}
+  ```
+
 #### Event collection using Legacy Mode (Deprecated)
 
 The legacy method uses WMI (Windows Management Instrumentation) and was deprecated in Agent version 7.20. 

From f7285f1009ed5e5cdc2c4a3e7c5d6e5e01dd39bc Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Mon, 25 Sep 2023 19:59:23 -0400
Subject: [PATCH 05/10] changelog

---
 win32_event_log/CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/win32_event_log/CHANGELOG.md b/win32_event_log/CHANGELOG.md
index 3d540a72405cd..dae2e8a994521 100644
--- a/win32_event_log/CHANGELOG.md
+++ b/win32_event_log/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+***Added***:
+
+* Add `legacy_mode` option to init_config ([#15907](https://github.com/DataDog/integrations-core/pull/15907))
+
 ***Fixed***:
 
 * Run all the tests on py3 ([#15798](https://github.com/DataDog/integrations-core/pull/15798))

From 59786dfdfc02cfd16d090e102d104c0abec87cf9 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Tue, 26 Sep 2023 10:33:44 -0400
Subject: [PATCH 06/10] lint

---
 win32_event_log/tests/legacy/test_win32_integration.py | 2 +-
 win32_event_log/tests/test_config.py                   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/win32_event_log/tests/legacy/test_win32_integration.py b/win32_event_log/tests/legacy/test_win32_integration.py
index 88c4a90889787..9a6ccca19d042 100644
--- a/win32_event_log/tests/legacy/test_win32_integration.py
+++ b/win32_event_log/tests/legacy/test_win32_integration.py
@@ -28,6 +28,7 @@ def test_deprecation_notice(dd_run_check):
         'Set `legacy_mode` to `false` and read about the latest options, such as `query`.'
     ) in check.get_warnings()
 
+
 @pytest.mark.parametrize('shared_legacy_mode', [None, False, True])
 @pytest.mark.parametrize('instance_legacy_mode', [None, False, True])
 def test_legacy_mode_select(new_check, shared_legacy_mode, instance_legacy_mode):
@@ -70,4 +71,3 @@ def test_legacy_mode_select(new_check, shared_legacy_mode, instance_legacy_mode)
 
     # should default to true for backwards compatibility
     assert type(check) is Win32EventLogWMI
-
diff --git a/win32_event_log/tests/test_config.py b/win32_event_log/tests/test_config.py
index 52c66e5dc0b62..781fe50c2faaa 100644
--- a/win32_event_log/tests/test_config.py
+++ b/win32_event_log/tests/test_config.py
@@ -16,4 +16,3 @@ def test_invalid_message_filter_regular_expression(dd_run_check, new_check, inst
         match='Error compiling pattern for option `{}`: invalid group reference 1 at position 1'.format(option),
     ):
         dd_run_check(check)
-

From 272213e8ab483ee190d2dc702d4dbb48aa812a0a Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Tue, 26 Sep 2023 10:39:38 -0400
Subject: [PATCH 07/10] change instance legacy_mode example default

---
 win32_event_log/assets/configuration/spec.yaml                  | 2 +-
 .../datadog_checks/win32_event_log/data/conf.yaml.example       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/win32_event_log/assets/configuration/spec.yaml b/win32_event_log/assets/configuration/spec.yaml
index fb2b0f7bc12b9..3688811fe7447 100644
--- a/win32_event_log/assets/configuration/spec.yaml
+++ b/win32_event_log/assets/configuration/spec.yaml
@@ -303,7 +303,7 @@ files:
       value:
         type: boolean
         display_default: true
-        example: false
+        example: true
     - name: host
       description: |
         By default, the local machine's event logs are captured. To capture a remote
diff --git a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
index efd4e684d7a5c..dc2ad7d46e36c 100644
--- a/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
+++ b/win32_event_log/datadog_checks/win32_event_log/data/conf.yaml.example
@@ -250,7 +250,7 @@ instances:
     ##
     ## Setting this option to `false` is only supported on Agent versions 7 and above.
     #
-    # legacy_mode: false
+    # legacy_mode: true
 
     ## @param host - string - optional - default: localhost
     ## By default, the local machine's event logs are captured. To capture a remote

From de8b6a7c6f5ef3a3b8aa21dacf12e595433a5187 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Tue, 26 Sep 2023 10:50:28 -0400
Subject: [PATCH 08/10] lint

---
 win32_event_log/tests/legacy/test_win32_integration.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/win32_event_log/tests/legacy/test_win32_integration.py b/win32_event_log/tests/legacy/test_win32_integration.py
index 9a6ccca19d042..d324b75669a38 100644
--- a/win32_event_log/tests/legacy/test_win32_integration.py
+++ b/win32_event_log/tests/legacy/test_win32_integration.py
@@ -4,11 +4,9 @@
 import platform
 
 import pytest
-from six import PY2
-
 from datadog_checks.win32_event_log import Win32EventLogCheck
 from datadog_checks.win32_event_log.legacy import Win32EventLogWMI
-
+from six import PY2
 
 from . import common
 

From 89bcaec336a1de68d67034971f2a003fcc046bbf Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Tue, 26 Sep 2023 11:06:06 -0400
Subject: [PATCH 09/10] lint

---
 win32_event_log/tests/legacy/test_win32_integration.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/win32_event_log/tests/legacy/test_win32_integration.py b/win32_event_log/tests/legacy/test_win32_integration.py
index d324b75669a38..8733c485e3b25 100644
--- a/win32_event_log/tests/legacy/test_win32_integration.py
+++ b/win32_event_log/tests/legacy/test_win32_integration.py
@@ -4,9 +4,10 @@
 import platform
 
 import pytest
+from six import PY2
+
 from datadog_checks.win32_event_log import Win32EventLogCheck
 from datadog_checks.win32_event_log.legacy import Win32EventLogWMI
-from six import PY2
 
 from . import common
 

From eb8e9b25f814650a5146f8d835cedf85c05ec021 Mon Sep 17 00:00:00 2001
From: Branden Clark <branden.clark@datadoghq.com>
Date: Tue, 26 Sep 2023 14:52:39 -0400
Subject: [PATCH 10/10] Update win32_event_log/README.md

Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com>
---
 win32_event_log/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/win32_event_log/README.md b/win32_event_log/README.md
index d4de88f901f80..2db2437e22a37 100644
--- a/win32_event_log/README.md
+++ b/win32_event_log/README.md
@@ -96,7 +96,7 @@ To collect Windows Event Logs as Datadog events, configure channels under the `i
       filters: {}
   ```
 
-Agent versions 7.49 or later support setting `legacy_mode` in the shared `init_config` section. This sets the default for all instances and `legacy_mode` no longer needs to be set individually for each instance. The option can still be set on a per-instance basis.
+Agent versions 7.49 and later support setting `legacy_mode` in the shared `init_config` section. This sets the default for all instances and no longer requires you to set `legacy_mode` individually for each instance. However, the option can still be set on a per-instance basis.
 
   ```yaml
   init_config: