-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Winlogbeat] Fixes for wineventlog experimental api #26826
[Winlogbeat] Fixes for wineventlog experimental api #26826
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Some valid message strings have a "message ID" of 0. So set the EvtFormatMessageId flag when we don't have a valid event handle when calling EvtFormatMessage. Change the delimiters used in message templates. There were a few cases were the template failed to parse because the raw message used the same delims in some way. EventMetadata is an exported type, but its EventData field was using an unexported type called `eventData`. To make external usage easier make that type exported as well. Add winevetlog.Publishers() to list all registered event publishers on the system.
a9b78d1
to
b0123c9
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a minor suggestion
Some valid message strings have a "message ID" of 0. So set the EvtFormatMessageId flag when we don't have a valid event handle when calling EvtFormatMessage. Change the delimiters used in message templates. There were a few cases were the template failed to parse because the raw message used the same delims in some way. EventMetadata is an exported type, but its EventData field was using an unexported type called `eventData`. To make external usage easier make that type exported as well. Add winevetlog.Publishers() to list all registered event publishers on the system. (cherry picked from commit 67845c4)
Some valid message strings have a "message ID" of 0. So set the EvtFormatMessageId flag when we don't have a valid event handle when calling EvtFormatMessage. Change the delimiters used in message templates. There were a few cases were the template failed to parse because the raw message used the same delims in some way. EventMetadata is an exported type, but its EventData field was using an unexported type called `eventData`. To make external usage easier make that type exported as well. Add winevetlog.Publishers() to list all registered event publishers on the system. (cherry picked from commit 67845c4) Co-authored-by: Andrew Kroh <[email protected]>
* master: (61 commits) Add disk queue unit tests based on the queuetest package [Heartbeat] redact authorization headers from logger (elastic#26892) Expose custom process metrics (elastic#26912) [gcp/billing] always quote table name identifier (elastic#26870) Add Beats central management removal to BCs (elastic#26400) Add custom suffix to identifiers in filestream input when needed (elastic#26669) Update asa-ftd-pipeline.yml (elastic#26265) Use common host parser in vsphere module (elastic#26904) [automation] Update go release version 1.16.6 (elastic#26860) Skip flaky test: filestream and harvester group (elastic#26728) [Filebeat] Remove alias fields from Suricata and Traefik module mappings (elastic#26627) docs: apm-server.auth (elastic#26831) [Automation] Update elastic stack version to 8.0.0-2f008f4a for testing (elastic#26881) Clarify the scope of start/end multiline example (elastic#26786) [Heartbeat]: update Node.js version for synthetics (elastic#26867) [fix][httpjson] Fix incorrect key for template data (elastic#26848) [httpjson] Add value_type parameter to httpjson transforms (elastic#26847) [Heartbeat]: capture error from journey/end events (elastic#26781) [Winlogbeat] Fixes for wineventlog experimental api (elastic#26826) Set agent.id to Fleet Agent ID for each metric/log monitoring input (elastic#26776) ...
What does this PR do?
Some valid message strings have a "message ID" of 0. So set the EvtFormatMessageId flag when we don't have a valid event handle when calling EvtFormatMessage.
Change the delimiters used in message templates. There were a few cases were the template failed to parse because the raw message used the same delims in some way.
EventMetadata is an exported type, but its EventData field was using an unexported type called
eventData
. To make external usage easier make that type exported as well.Add winevetlog.Publishers() to list all registered event publishers on the system.
Why is it important?
This fixes errors initializing the metadata cache for some message publishers.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.