Skip to content

Commit

Permalink
winlogbeat/sys/wineventlog: don't use strict mode for forwarded events (
Browse files Browse the repository at this point in the history
#36309) (#36320)

Bookmarks will be stale for forwarded events so don't set up the
subscription to fail for forwarded events.

(cherry picked from commit ca76790)

Co-authored-by: Dan Kortschak <[email protected]>
  • Loading branch information
mergify[bot] and efd6 authored Aug 15, 2023
1 parent edea2f3 commit e9fd4b2
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 8 deletions.
17 changes: 12 additions & 5 deletions winlogbeat/eventlog/wineventlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -277,8 +277,7 @@ func newWinEventLog(options *conf.C) (EventLog, error) {
// efficient and does not attempt to use local message files for rendering
// the event's message.
switch {
case c.Forwarded == nil && c.Name == "ForwardedEvents",
c.Forwarded != nil && *c.Forwarded:
case l.isForwarded():
l.render = func(event win.EvtHandle, out io.Writer) error {
return win.RenderEventXML(event, l.renderBuf, out)
}
Expand All @@ -294,6 +293,11 @@ func newWinEventLog(options *conf.C) (EventLog, error) {
return l, nil
}

func (l *winEventLog) isForwarded() bool {
c := l.config
return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents")
}

// Name returns the name of the event log (i.e. Application, Security, etc.).
func (l *winEventLog) Name() string {
return l.id
Expand Down Expand Up @@ -382,9 +386,12 @@ func (l *winEventLog) openChannel(bookmark win.EvtHandle) error {

var flags win.EvtSubscribeFlag
if bookmark > 0 {
// Use EvtSubscribeStrict to detect when the bookmark is missing and be able to
// subscribe again from the beginning.
flags = win.EvtSubscribeStartAfterBookmark | win.EvtSubscribeStrict
flags = win.EvtSubscribeStartAfterBookmark
if !l.isForwarded() {
// Use EvtSubscribeStrict to detect when the bookmark is missing and be able to
// subscribe again from the beginning.
flags |= win.EvtSubscribeStrict
}
} else {
flags = win.EvtSubscribeStartAtOldestRecord
}
Expand Down
14 changes: 11 additions & 3 deletions winlogbeat/eventlog/wineventlog_experimental.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,11 @@ func newWinEventLogExp(options *conf.C) (EventLog, error) {
return l, nil
}

func (l *winEventLogExp) isForwarded() bool {
c := l.config
return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents")
}

// Name returns the name of the event log (i.e. Application, Security, etc.).
func (l *winEventLogExp) Name() string {
return l.id
Expand Down Expand Up @@ -227,9 +232,12 @@ func (l *winEventLogExp) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro

var flags win.EvtSubscribeFlag
if bookmark > 0 {
// Use EvtSubscribeStrict to detect when the bookmark is missing and be able to
// subscribe again from the beginning.
flags = win.EvtSubscribeStartAfterBookmark | win.EvtSubscribeStrict
flags = win.EvtSubscribeStartAfterBookmark
if !l.isForwarded() {
// Use EvtSubscribeStrict to detect when the bookmark is missing and be able to
// subscribe again from the beginning.
flags |= win.EvtSubscribeStrict
}
} else {
flags = win.EvtSubscribeStartAtOldestRecord
}
Expand Down

0 comments on commit e9fd4b2

Please sign in to comment.