Update windows_event to add custom channels (#202)

* Update windows_event to add custom channels * Update descriptions for custom_channels parameters * Windows_event_logs update WIP * Update change log for version 0.0.40 release * Update windows_event add id and output variable * Update windows_event change custom log_type to windows_event.custom * Update windows_event add default and update changelog Co-authored-by: Eric Holt <[email protected]>
observIQ · Feb 1, 2021 · 1ae7326 · 1ae7326
1 parent 29a7461
commit 1ae7326
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Add containerd support log parsing support
 - Update `kubernetes_cluster` plugin ([PR211](https://github.com/observIQ/stanza-plugins/pull/211)
   - Add containerd support log parsing support
+- Update `windows_event` plugin ([PR202](https://github.com/observIQ/stanza-plugins/pull/202))
+  - Add `enable_custom_channels` and `custom_channels` parameter
 ## [0.0.40] - 2021-01-26
 ### Changed
 - Update `postgresql` plugin ([PR209](https://github.com/observIQ/stanza-plugins/pull/209)

diff --git a/plugins/windows_event.yaml b/plugins/windows_event.yaml
@@ -1,5 +1,5 @@
 # Plugin Info
-version: 0.0.4
+version: 0.0.5
 title: Windows Event Log
 description: Windows Event Log Parser
 supported_platforms: 
@@ -20,6 +20,21 @@ parameters:
     description: Enable to collect security event logs
     type: bool
     default: true
+  - name: enable_custom_channels
+    label: Custom Events Channel
+    description: Enable to collect custom event logs from provided channels
+    type: bool
+    default: false
+  - name: custom_channels
+    label: Custom Event Channels
+    description: Add custom channels to get event logs
+    type: strings
+    required: true
+    default:
+      - ''
+    relevant_if:
+      enable_custom_channels:
+        equals: true
   - name: max_reads
     label: Max Reads
     description: The maximum number of records read into memory, before beginning a new batch
@@ -43,6 +58,7 @@ parameters:
 # {{$enable_system_events := default true .enable_system_events}}
 # {{$enable_application_events := default true .enable_application_events}}
 # {{$enable_security_events := default true .enable_security_events}}
+# {{$enable_custom_channels := default false .enable_custom_channels}}
 # {{$max_reads := default 100 .max_reads}}
 # {{$poll_interval := default 1 .poll_interval}}
 # {{$start_at := default "end" .start_at}}
@@ -87,3 +103,20 @@ pipeline:
     start_at: {{ $start_at }}
     output: {{ .output }}
 # {{ end }}
+
+# {{$output := .output}}
+# {{$id := .id}}
+# {{ if $enable_custom_channels }}
+  # {{ range $index, $element := .custom_channels }}
+  - id: custom_event_input_{{$index}}
+    type: windows_eventlog_input
+    channel: {{$element}}
+    max_reads: {{$max_reads}}
+    poll_interval: {{$poll_interval}}
+    labels:
+      log_type: "windows_event.custom"
+      plugin_id: {{$id}}
+    start_at: beginning
+    output: {{$output}}
+  # {{ end }}
+# {{ end }}