Default to raw api

elastic · Jan 9, 2025 · 57b79e5 · 57b79e5
1 parent 7e25c4d
commit 57b79e5
Show file tree

Hide file tree

Showing 12 changed files with 570 additions and 1,314 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -90,6 +90,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 *Winlogbeat*
 
 - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193]
+- Default to use raw api and delete older xml implementation. {pull}[]
 
 *Functionbeat*
 

diff --git a/winlogbeat/eventlog/bench_test.go b/winlogbeat/eventlog/bench_test.go
@@ -58,21 +58,17 @@ func TestBenchmarkRead(t *testing.T) {
 		safeWriteEvent(t, writer, uint32(rand.Int63()%1000), strconv.Itoa(i)+" "+randomSentence(256))
 	}
 
-	for _, api := range []string{winEventLogAPIName, winEventLogExpAPIName} {
-		t.Run("api="+api, func(t *testing.T) {
-			for _, includexml := range []bool{true, false} {
-				for _, batchSize := range []int{10, 100, 500, 1000} {
-					t.Run(fmt.Sprintf("include_xml=%v/batch_size=%d", includexml, batchSize), func(t *testing.T) {
-						result := testing.Benchmark(benchmarkEventLog(api, includexml, batchSize))
-						outputBenchmarkResults(t, result)
-					})
-				}
-			}
-		})
+	for _, includexml := range []bool{true, false} {
+		for _, batchSize := range []int{10, 100, 500, 1000} {
+			t.Run(fmt.Sprintf("include_xml=%v/batch_size=%d", includexml, batchSize), func(t *testing.T) {
+				result := testing.Benchmark(benchmarkEventLog(includexml, batchSize))
+				outputBenchmarkResults(t, result)
+			})
+		}
 	}
 }
 
-func benchmarkEventLog(api string, includexml bool, batchSize int) func(b *testing.B) {
+func benchmarkEventLog(includexml bool, batchSize int) func(b *testing.B) {
 	return func(b *testing.B) {
 		conf := mapstr.M{
 			"name":            providerName,
@@ -81,7 +77,7 @@ func benchmarkEventLog(api string, includexml bool, batchSize int) func(b *testi
 			"include_xml":     includexml,
 		}
 
-		log := openLog(b, api, nil, conf)
+		log := openLog(b, nil, conf)
 		defer log.Close()
 
 		events := 0

diff --git a/winlogbeat/eventlog/cache.go b/winlogbeat/eventlog/cache.go
diff --git a/winlogbeat/eventlog/config.go b/winlogbeat/eventlog/config.go
@@ -0,0 +1,136 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build windows
+
+package eventlog
+
+import (
+	"encoding/xml"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/joeshaw/multierror"
+
+	conf "github.com/elastic/elastic-agent-libs/config"
+)
+
+type validator interface {
+	Validate() error
+}
+
+func readConfig(c *conf.C, config interface{}) error {
+	if err := c.Unpack(config); err != nil {
+		return fmt.Errorf("failed unpacking config. %v", err)
+	}
+
+	if v, ok := config.(validator); ok {
+		if err := v.Validate(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+type config struct {
+	Renderer      string             `config:"renderer"`        // Name of the renderer to use. Optional.
+	Name          string             `config:"name"`            // Name of the event log or channel or file.
+	ID            string             `config:"id"`              // Identifier for the event log.
+	XMLQuery      string             `config:"xml_query"`       // Custom query XML. Must not be used with the keys from eventlog.query.
+	BatchReadSize int                `config:"batch_read_size"` // Maximum number of events that Read will return.
+	IncludeXML    bool               `config:"include_xml"`
+	Forwarded     *bool              `config:"forwarded"`
+	SimpleQuery   query              `config:",inline"`
+	NoMoreEvents  NoMoreEventsAction `config:"no_more_events"` // Action to take when no more events are available - wait or stop.
+	EventLanguage uint32             `config:"language"`
+}
+
+// query contains parameters used to customize the event log data that is
+// queried from the log.
+type query struct {
+	IgnoreOlder time.Duration `config:"ignore_older"` // Ignore records older than this period of time.
+	EventID     string        `config:"event_id"`     // White-list and black-list of events.
+	Level       string        `config:"level"`        // Severity level.
+	Provider    []string      `config:"provider"`     // Provider (source name).
+}
+
+// NoMoreEventsAction defines what action for the reader to take when
+// ERROR_NO_MORE_ITEMS is returned by the Windows API.
+type NoMoreEventsAction uint8
+
+const (
+	// Wait for new events.
+	Wait NoMoreEventsAction = iota
+	// Stop the reader.
+	Stop
+)
+
+var noMoreEventsActionNames = map[NoMoreEventsAction]string{
+	Wait: "wait",
+	Stop: "stop",
+}
+
+// Unpack sets the action based on the string value.
+func (a *NoMoreEventsAction) Unpack(v string) error {
+	v = strings.ToLower(v)
+	for action, name := range noMoreEventsActionNames {
+		if v == name {
+			*a = action
+			return nil
+		}
+	}
+	return fmt.Errorf("invalid no_more_events action: %v", v)
+}
+
+// String returns the name of the action.
+func (a NoMoreEventsAction) String() string { return noMoreEventsActionNames[a] }
+
+// Validate validates the winEventLogConfig data and returns an error describing
+// any problems or nil.
+func (c *config) Validate() error {
+	var errs multierror.Errors
+
+	if c.XMLQuery != "" {
+		if c.ID == "" {
+			errs = append(errs, fmt.Errorf("event log is missing an 'id'"))
+		}
+
+		// Check for XML syntax errors. This does not check the validity of the query itself.
+		if err := xml.Unmarshal([]byte(c.XMLQuery), &struct{}{}); err != nil {
+			errs = append(errs, fmt.Errorf("invalid xml_query: %w", err))
+		}
+
+		switch {
+		case c.Name != "":
+			errs = append(errs, fmt.Errorf("xml_query cannot be used with 'name'"))
+		case c.SimpleQuery.IgnoreOlder != 0:
+			errs = append(errs, fmt.Errorf("xml_query cannot be used with 'ignore_older'"))
+		case c.SimpleQuery.Level != "":
+			errs = append(errs, fmt.Errorf("xml_query cannot be used with 'level'"))
+		case c.SimpleQuery.EventID != "":
+			errs = append(errs, fmt.Errorf("xml_query cannot be used with 'event_id'"))
+		case len(c.SimpleQuery.Provider) != 0:
+			errs = append(errs, fmt.Errorf("xml_query cannot be used with 'provider'"))
+		}
+	} else if c.Name == "" {
+		errs = append(errs, fmt.Errorf("event log is missing a 'name'"))
+	}
+
+	return errs.Err()
+}
diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go
@@ -70,7 +70,6 @@ type EventLog interface {
 type Record struct {
 	winevent.Event
 	File   string                   // Source file when event is from a file.
-	API    string                   // The event log API type used to read the record.
 	XML    string                   // XML representation of the event.
 	Offset checkpoint.EventLogState // Position of the record within its source stream.
 }
@@ -80,7 +79,6 @@ func (e Record) ToEvent() beat.Event {
 	win := e.Fields()
 
 	_ = win.Delete("time_created")
-	_, _ = win.Put("api", e.API)
 
 	m := mapstr.M{
 		"winlog": win,