Skip to content

Commit

Permalink
in_winevtlog: adds ability to ignore channels missing in Windows Even…
Browse files Browse the repository at this point in the history
…t Log (fluent#6176)

* Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log, e.g:

PowerShellCore/Operational needs the proper software installed to  appear under Application and Services Log

Signed-off-by: Meissner Morales <[email protected]>
Signed-off-by: root <[email protected]>
  • Loading branch information
c0d3fau1t authored and root committed Feb 8, 2023
1 parent 26d8d5c commit ecaef64
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 8 deletions.
7 changes: 6 additions & 1 deletion plugins/in_winevtlog/in_winevtlog.c
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ static int in_winevtlog_init(struct flb_input_instance *in,
tmp = "Application";
}

ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events);
ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events, ctx->ignore_missing_channels);
if (!ctx->active_channel) {
flb_plg_error(ctx->ins, "failed to open channels");
flb_free(ctx);
Expand Down Expand Up @@ -238,6 +238,11 @@ static struct flb_config_map config_map[] = {
0, FLB_TRUE, offsetof(struct winevtlog_config, use_ansi),
"Use ANSI encoding on eventlog messages"
},
{
FLB_CONFIG_MAP_BOOL, "ignore_missing_channels", "false",
0, FLB_TRUE, offsetof(struct winevtlog_config, ignore_missing_channels),
"Whether to ignore channels missing in eventlog"
},

/* EOF */
{0}
Expand Down
28 changes: 22 additions & 6 deletions plugins/in_winevtlog/winevtlog.c
Original file line number Diff line number Diff line change
Expand Up @@ -587,7 +587,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck, struct
*
* "channels" are comma-separated names like "Setup,Security".
*/
struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events)
struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events, int ignore_missing_channels)
{
char *tmp;
char *channel;
Expand All @@ -612,14 +612,30 @@ struct mk_list *winevtlog_open_all(const char *channels, int read_existing_event
channel = strtok_s(tmp , ",", &state);
while (channel) {
ch = winevtlog_subscribe(channel, read_existing_events, NULL);
if (!ch) {
flb_free(tmp);
winevtlog_close_all(list);
return NULL;
if (ignore_missing_channels) {
if (ch) {
mk_list_add(&ch->_head, list);
}
else {
flb_debug("[in_winevtlog] channel '%s' does not exist", channel);
}
}
else {
if (!ch) {
flb_free(tmp);
winevtlog_close_all(list);
return NULL;
}
}
mk_list_add(&ch->_head, list);
channel = strtok_s(NULL, ",", &state);
}

if (mk_list_size(list) == 0) {
flb_free(tmp);
winevtlog_close_all(list);
return NULL;
}

flb_free(tmp);
return list;
}
Expand Down
3 changes: 2 additions & 1 deletion plugins/in_winevtlog/winevtlog.h
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ struct winevtlog_config {
int read_existing_events;
int render_event_as_xml;
int use_ansi;
int ignore_missing_channels;

struct mk_list *active_channel;
struct flb_sqldb *db;
Expand Down Expand Up @@ -80,7 +81,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck,
*
* "channels" are comma-separated names like "Setup,Security".
*/
struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events);
struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events, int ignore_missing_channels);
void winevtlog_close_all(struct mk_list *list);

void winevtlog_pack_xml_event(msgpack_packer *mp_pck, WCHAR *system_xml, WCHAR *message,
Expand Down

0 comments on commit ecaef64

Please sign in to comment.