in_winevtlog: Import remoting access patch for winevtlog

Signed-off-by: Hiroshi Hatake <[email protected]>

Author: cosmo0920

plugins/in_winevtlog/in_winevtlog.c

@@ -36,6 +36,120 @@
 static int in_winevtlog_collect(struct flb_input_instance *ins,
                                 struct flb_config *config, void *in_context);
 
+static wchar_t* convert_to_wide(char *str)
+{
+    int size = 0;
+    wchar_t *buf = NULL;
+    DWORD err;
+
+    size = MultiByteToWideChar(CP_UTF8, 0, str, -1, NULL, 0);
+    if (size == 0) {
+        err = GetLastError();
+        flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err);
+        return NULL;
+    }
+
+    buf = flb_calloc(1, sizeof(wchar_t) * size);
+    if (buf == NULL) {
+        flb_errno();
+        return NULL;
+    }
+    size = MultiByteToWideChar(CP_UTF8, 0, str, -1, buf, size);
+    if (size == 0) {
+        err = GetLastError();
+        flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err);
+        flb_free(buf);
+        return NULL;
+    }
+
+    return buf;
+}
+
+static void in_winevtlog_session_destory(struct winevtlog_session *session);
+
+static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_config *ctx,
+                                                             struct flb_config *config,
+                                                             int *status)
+{
+    int len;
+    struct winevtlog_session *session;
+    PWSTR wtmp;
+
+    if (ctx->remote_server == NULL) {
+        *status = WINEVTLOG_SESSION_SERVER_EMPTY;
+        return NULL;
+    }
+
+    session = flb_calloc(1, sizeof(struct winevtlog_session));
+    if (session == NULL) {
+        flb_errno();
+        *status = WINEVTLOG_SESSION_ALLOC_FAILED;
+        return NULL;
+    }
+
+    if (ctx->remote_server != NULL) {
+        session->server = convert_to_wide(ctx->remote_server);
+        if (session->server == NULL) {
+            in_winevtlog_session_destory(session);
+            *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE;
+            return NULL;
+        }
+    }
+
+    if (ctx->remote_domain != NULL) {
+        session->domain = convert_to_wide(ctx->remote_domain);
+        if (session->domain == NULL) {
+            in_winevtlog_session_destory(session);
+            *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE;
+            return NULL;
+        }
+    }
+
+    if (ctx->remote_username != NULL) {
+        session->username = convert_to_wide(ctx->remote_username);
+        if (session->username == NULL) {
+            in_winevtlog_session_destory(session);
+            *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE;
+            return NULL;
+        }
+    }
+
+    if (ctx->remote_password != NULL) {
+        session->password = convert_to_wide(ctx->remote_password);
+        if (session->password == NULL) {
+            in_winevtlog_session_destory(session);
+            *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE;
+            return NULL;
+        }
+    }
+
+    session->flags = EvtRpcLoginAuthDefault;
+    *status = WINEVTLOG_SESSION_CREATE_OK;
+
+    return session;
+}
+
+static void in_winevtlog_session_destory(struct winevtlog_session *session)
+{
+    if (session->server != NULL) {
+        flb_free(session->server);
+    }
+
+    if (session->domain != NULL) {
+        flb_free(session->domain);
+    }
+
+    if (session->username != NULL) {
+        flb_free(session->username);
+    }
+
+    if (session->password != NULL) {
+        flb_free(session->password);
+    }
+
+    flb_free(session);
+}
+
 static int in_winevtlog_init(struct flb_input_instance *in,
                              struct flb_config *config, void *data)
 {
@@ -46,6 +160,8 @@ static int in_winevtlog_init(struct flb_input_instance *in,
     struct mk_list *head;
     struct winevtlog_channel *ch;
     struct winevtlog_config *ctx;
+    struct winevtlog_session *session;
+    int status = WINEVTLOG_SESSION_CREATE_OK;
 
     /* Initialize context */
     ctx = flb_calloc(1, sizeof(struct winevtlog_config));
@@ -72,6 +188,18 @@ static int in_winevtlog_init(struct flb_input_instance *in,
         return -1;
     }
 
+    /* Initialize session context */
+    session = in_winevtlog_session_create(ctx, config, &status);
+    if (status == WINEVTLOG_SESSION_ALLOC_FAILED ||
+        status == WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE) {
+        flb_plg_error(in, "session is not created and invalid with %d", status);
+        return -1;
+    }
+    else if (session == NULL) {
+        flb_plg_debug(in, "session is not created. Connect to local machine.");
+    }
+    ctx->session = session;
+
     /* Set up total reading size threshold */
     if (ctx->total_size_threshold >= MINIMUM_THRESHOLD_SIZE &&
         ctx->total_size_threshold <= MAXIMUM_THRESHOLD_SIZE) {
@@ -235,6 +363,9 @@ static int in_winevtlog_exit(void *data, struct flb_config *config)
     if (ctx->db) {
         flb_sqldb_close(ctx->db);
     }
+    if (ctx->session) {
+        in_winevtlog_session_destory(ctx->session);
+    }
     flb_free(ctx);
 
     return 0;
@@ -296,6 +427,26 @@ static struct flb_config_map config_map[] = {
       0, FLB_TRUE, offsetof(struct winevtlog_config, total_size_threshold),
       "Specify reading limit for collecting Windows EventLog per a cycle"
     },
+    {
+      FLB_CONFIG_MAP_STR, "remote.server", (char *)NULL,
+      0, FLB_TRUE, offsetof(struct winevtlog_config, remote_server),
+      "Specify server name of remote access for Windows EventLog"
+    },
+    {
+      FLB_CONFIG_MAP_STR, "remote.domain", (char *)NULL,
+      0, FLB_TRUE, offsetof(struct winevtlog_config, remote_domain),
+      "Specify domain name of remote access for Windows EventLog"
+    },
+    {
+      FLB_CONFIG_MAP_STR, "remote.username", (char *)NULL,
+      0, FLB_TRUE, offsetof(struct winevtlog_config, remote_username),
+      "Specify username of remote access for Windows EventLog"
+    },
+    {
+      FLB_CONFIG_MAP_STR, "remote.password", (char *)NULL,
+      0, FLB_TRUE, offsetof(struct winevtlog_config, remote_password),
+      "Specify password of remote access for Windows EventLog"
+    },
     /* EOF */
     {0}
 };

plugins/in_winevtlog/winevtlog.c

@@ -30,8 +30,34 @@
 static char* convert_wstr(wchar_t *wstr, UINT codePage);
 static wchar_t* convert_str(char *str);
 
+static EVT_HANDLE
+create_remote_handle(struct winevtlog_session *session, DWORD *error_code)
+{
+    EVT_HANDLE remote = NULL;
+    EVT_RPC_LOGIN credentials;
+
+    RtlZeroMemory(&credentials, sizeof(EVT_RPC_LOGIN));
+
+    credentials.Server = session->server;
+    credentials.Domain = session->domain;
+    credentials.User = session->username;
+    credentials.Password = session->password;
+    credentials.Flags = session->flags;
+
+    remote = EvtOpenSession(EvtRpcLogin, &credentials, 0, 0);
+    if (!remote) {
+        *error_code = GetLastError();
+        return remote;
+    }
+
+    SecureZeroMemory(&credentials, sizeof(EVT_RPC_LOGIN));
+
+    return remote;
+}
+
 struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_existing_events,
-                                              EVT_HANDLE stored_bookmark, const char *query)
+                                              EVT_HANDLE stored_bookmark, const char *query,
+                                              struct winevtlog_session *session)
 {
     struct winevtlog_channel *ch;
     EVT_HANDLE bookmark = NULL;
@@ -40,7 +66,9 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis
     DWORD flags = 0L;
     PWSTR wide_channel = NULL;
     PWSTR wide_query = NULL;
+    EVT_HANDLE remote_handle = NULL;
     void *buf;
+    DWORD err = ERROR_SUCCESS;
 
     ch = flb_calloc(1, sizeof(struct winevtlog_channel));
     if (ch == NULL) {
@@ -78,17 +106,40 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis
         flags |= EvtSubscribeToFutureEvents;
     }
 
+    if (session != NULL) {
+        remote_handle = create_remote_handle(session, &err);
+        if (err != ERROR_SUCCESS) {
+            flb_error("[in_winevtlog] cannot create remote handle '%s' in %ls (%i)",
+                      channel, session->server, err);
+            flb_free(ch->name);
+            if (ch->query != NULL) {
+                flb_free(ch->query);
+            }
+            flb_free(ch);
+            return NULL;
+        }
+
+        flb_debug("[in_winevtlog] created a remote handle for '%s' in %ls",
+                  channel, session->server);
+        ch->session = session;
+        ch->remote = remote_handle;
+    }
+
     /* The wide_query parameter can handle NULL as `*` for retrieving all events.
      * ref. https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe
      */
-    ch->subscription = EvtSubscribe(NULL, signal_event, wide_channel, wide_query,
+    ch->subscription = EvtSubscribe(remote_handle, signal_event, wide_channel, wide_query,
                                     stored_bookmark, NULL, NULL, flags);
+    err = GetLastError();
     if (!ch->subscription) {
-        flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, GetLastError());
+        flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, err);
         flb_free(ch->name);
         if (ch->query != NULL) {
             flb_free(ch->query);
         }
+        if (ch->remote) {
+            EvtClose(ch->remote);
+        }
         flb_free(ch);
         return NULL;
     }
@@ -106,6 +157,9 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis
             if (ch->subscription) {
                 EvtClose(ch->subscription);
             }
+            if (ch->remote) {
+                EvtClose(ch->remote);
+            }
             if (signal_event) {
                 CloseHandle(signal_event);
             }
@@ -141,6 +195,10 @@ static void close_handles(struct winevtlog_channel *ch)
         EvtClose(ch->subscription);
         ch->subscription = NULL;
     }
+    if (ch->remote) {
+        EvtClose(ch->remote);
+        ch->remote = NULL;
+    }
     if (ch->signal_event) {
         CloseHandle(ch->signal_event);
         ch->signal_event = NULL;
@@ -674,7 +732,8 @@ struct mk_list *winevtlog_open_all(const char *channels, struct winevtlog_config
 
     channel = strtok_s(tmp , ",", &state);
     while (channel) {
-        ch = winevtlog_subscribe(channel, ctx->read_existing_events, NULL, ctx->event_query);
+        ch = winevtlog_subscribe(channel, ctx->read_existing_events, NULL, ctx->event_query,
+                                 ctx->session);
         if (ch) {
             mk_list_add(&ch->_head, list);
         }
@@ -809,13 +868,14 @@ int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db)
             bookmark = EvtCreateBookmark(bookmark_xml);
             if (bookmark) {
                 /* re-create subscription handles */
-                re_ch = winevtlog_subscribe(ch->name, FLB_FALSE, bookmark, ch->query);
+                re_ch = winevtlog_subscribe(ch->name, FLB_FALSE, bookmark, ch->query, ch->session);
                 if (re_ch != NULL) {
                     close_handles(ch);
 
                     ch->bookmark = re_ch->bookmark;
                     ch->subscription = re_ch->subscription;
                     ch->signal_event = re_ch->signal_event;
+                    ch->session = re_ch->session;
                 }
                 else {
                     flb_error("Failed to subscribe with bookmark XML: %s\n", record.bookmark_xml);

plugins/in_winevtlog/winevtlog.h

@@ -24,6 +24,8 @@
 #include <winevt.h>
 #include <fluent-bit/flb_log_event_encoder.h>
 
+struct winevtlog_session;
+
 struct winevtlog_config {
     unsigned int interval_sec;
     unsigned int interval_nsec;
@@ -34,6 +36,11 @@ struct winevtlog_config {
     int use_ansi;
     int ignore_missing_channels;
     flb_sds_t event_query;
+    flb_sds_t remote_server;
+    flb_sds_t remote_domain;
+    flb_sds_t remote_username;
+    flb_sds_t remote_password;
+    struct winevtlog_session *session;
 
     struct mk_list *active_channel;
     struct flb_sqldb *db;
@@ -50,9 +57,11 @@ struct winevtlog_config {
 struct winevtlog_channel {
     EVT_HANDLE subscription;
     EVT_HANDLE bookmark;
+    EVT_HANDLE remote;
     HANDLE signal_event;
     EVT_HANDLE events[SUBSCRIBE_ARRAY_SIZE];
     int count;
+    struct winevtlog_session *session;
 
     char *name;
     char *query;
@@ -61,6 +70,19 @@ struct winevtlog_channel {
     struct mk_list _head;
 };
 
+#define WINEVTLOG_SESSION_CREATE_OK              0
+#define WINEVTLOG_SESSION_ALLOC_FAILED           1
+#define WINEVTLOG_SESSION_SERVER_EMPTY           2
+#define WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE 3
+
+struct winevtlog_session {
+    PWSTR server;
+    PWSTR domain;
+    PWSTR username;
+    PWSTR password;
+    EVT_RPC_LOGIN_FLAGS flags;
+};
+
 struct winevtlog_sqlite_record {
     char *name;
     char *bookmark_xml;