From 1729b46e196d1fe82eb366e64199f8f2ebc5a601 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 21 May 2025 11:21:44 +0900 Subject: [PATCH 1/4] in_winevtlog: Import remoting access patch for winevtlog Signed-off-by: Hiroshi Hatake --- plugins/in_winevtlog/in_winevtlog.c | 151 ++++++++++++++++++++++++++++ plugins/in_winevtlog/winevtlog.c | 70 ++++++++++++- plugins/in_winevtlog/winevtlog.h | 22 ++++ 3 files changed, 238 insertions(+), 5 deletions(-) diff --git a/plugins/in_winevtlog/in_winevtlog.c b/plugins/in_winevtlog/in_winevtlog.c index 7b272f9d092..019585105fd 100644 --- a/plugins/in_winevtlog/in_winevtlog.c +++ b/plugins/in_winevtlog/in_winevtlog.c @@ -36,6 +36,120 @@ static int in_winevtlog_collect(struct flb_input_instance *ins, struct flb_config *config, void *in_context); +static wchar_t* convert_to_wide(char *str) +{ + int size = 0; + wchar_t *buf = NULL; + DWORD err; + + size = MultiByteToWideChar(CP_UTF8, 0, str, -1, NULL, 0); + if (size == 0) { + err = GetLastError(); + flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err); + return NULL; + } + + buf = flb_calloc(1, sizeof(wchar_t) * size); + if (buf == NULL) { + flb_errno(); + return NULL; + } + size = MultiByteToWideChar(CP_UTF8, 0, str, -1, buf, size); + if (size == 0) { + err = GetLastError(); + flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err); + flb_free(buf); + return NULL; + } + + return buf; +} + +static void in_winevtlog_session_destory(struct winevtlog_session *session); + +static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_config *ctx, + struct flb_config *config, + int *status) +{ + int len; + struct winevtlog_session *session; + PWSTR wtmp; + + if (ctx->remote_server == NULL) { + *status = WINEVTLOG_SESSION_SERVER_EMPTY; + return NULL; + } + + session = flb_calloc(1, sizeof(struct winevtlog_session)); + if (session == NULL) { + flb_errno(); + *status = WINEVTLOG_SESSION_ALLOC_FAILED; + return NULL; + } + + if (ctx->remote_server != NULL) { + session->server = convert_to_wide(ctx->remote_server); + if (session->server == NULL) { + in_winevtlog_session_destory(session); + *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; + return NULL; + } + } + + if (ctx->remote_domain != NULL) { + session->domain = convert_to_wide(ctx->remote_domain); + if (session->domain == NULL) { + in_winevtlog_session_destory(session); + *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; + return NULL; + } + } + + if (ctx->remote_username != NULL) { + session->username = convert_to_wide(ctx->remote_username); + if (session->username == NULL) { + in_winevtlog_session_destory(session); + *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; + return NULL; + } + } + + if (ctx->remote_password != NULL) { + session->password = convert_to_wide(ctx->remote_password); + if (session->password == NULL) { + in_winevtlog_session_destory(session); + *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; + return NULL; + } + } + + session->flags = EvtRpcLoginAuthDefault; + *status = WINEVTLOG_SESSION_CREATE_OK; + + return session; +} + +static void in_winevtlog_session_destory(struct winevtlog_session *session) +{ + if (session->server != NULL) { + flb_free(session->server); + } + + if (session->domain != NULL) { + flb_free(session->domain); + } + + if (session->username != NULL) { + flb_free(session->username); + } + + if (session->password != NULL) { + flb_free(session->password); + } + + flb_free(session); +} + static int in_winevtlog_init(struct flb_input_instance *in, struct flb_config *config, void *data) { @@ -46,6 +160,8 @@ static int in_winevtlog_init(struct flb_input_instance *in, struct mk_list *head; struct winevtlog_channel *ch; struct winevtlog_config *ctx; + struct winevtlog_session *session; + int status = WINEVTLOG_SESSION_CREATE_OK; /* Initialize context */ ctx = flb_calloc(1, sizeof(struct winevtlog_config)); @@ -72,6 +188,18 @@ static int in_winevtlog_init(struct flb_input_instance *in, return -1; } + /* Initialize session context */ + session = in_winevtlog_session_create(ctx, config, &status); + if (status == WINEVTLOG_SESSION_ALLOC_FAILED || + status == WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE) { + flb_plg_error(in, "session is not created and invalid with %d", status); + return -1; + } + else if (session == NULL) { + flb_plg_debug(in, "session is not created. Connect to local machine."); + } + ctx->session = session; + /* Set up total reading size threshold */ if (ctx->total_size_threshold >= MINIMUM_THRESHOLD_SIZE && ctx->total_size_threshold <= MAXIMUM_THRESHOLD_SIZE) { @@ -235,6 +363,9 @@ static int in_winevtlog_exit(void *data, struct flb_config *config) if (ctx->db) { flb_sqldb_close(ctx->db); } + if (ctx->session) { + in_winevtlog_session_destory(ctx->session); + } flb_free(ctx); return 0; @@ -296,6 +427,26 @@ static struct flb_config_map config_map[] = { 0, FLB_TRUE, offsetof(struct winevtlog_config, total_size_threshold), "Specify reading limit for collecting Windows EventLog per a cycle" }, + { + FLB_CONFIG_MAP_STR, "remote.server", (char *)NULL, + 0, FLB_TRUE, offsetof(struct winevtlog_config, remote_server), + "Specify server name of remote access for Windows EventLog" + }, + { + FLB_CONFIG_MAP_STR, "remote.domain", (char *)NULL, + 0, FLB_TRUE, offsetof(struct winevtlog_config, remote_domain), + "Specify domain name of remote access for Windows EventLog" + }, + { + FLB_CONFIG_MAP_STR, "remote.username", (char *)NULL, + 0, FLB_TRUE, offsetof(struct winevtlog_config, remote_username), + "Specify username of remote access for Windows EventLog" + }, + { + FLB_CONFIG_MAP_STR, "remote.password", (char *)NULL, + 0, FLB_TRUE, offsetof(struct winevtlog_config, remote_password), + "Specify password of remote access for Windows EventLog" + }, /* EOF */ {0} }; diff --git a/plugins/in_winevtlog/winevtlog.c b/plugins/in_winevtlog/winevtlog.c index ef2090a13a8..0c0e49ab0c8 100644 --- a/plugins/in_winevtlog/winevtlog.c +++ b/plugins/in_winevtlog/winevtlog.c @@ -30,8 +30,34 @@ static char* convert_wstr(wchar_t *wstr, UINT codePage); static wchar_t* convert_str(char *str); +static EVT_HANDLE +create_remote_handle(struct winevtlog_session *session, DWORD *error_code) +{ + EVT_HANDLE remote = NULL; + EVT_RPC_LOGIN credentials; + + RtlZeroMemory(&credentials, sizeof(EVT_RPC_LOGIN)); + + credentials.Server = session->server; + credentials.Domain = session->domain; + credentials.User = session->username; + credentials.Password = session->password; + credentials.Flags = session->flags; + + remote = EvtOpenSession(EvtRpcLogin, &credentials, 0, 0); + if (!remote) { + *error_code = GetLastError(); + return remote; + } + + SecureZeroMemory(&credentials, sizeof(EVT_RPC_LOGIN)); + + return remote; +} + struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_existing_events, - EVT_HANDLE stored_bookmark, const char *query) + EVT_HANDLE stored_bookmark, const char *query, + struct winevtlog_session *session) { struct winevtlog_channel *ch; EVT_HANDLE bookmark = NULL; @@ -40,7 +66,9 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis DWORD flags = 0L; PWSTR wide_channel = NULL; PWSTR wide_query = NULL; + EVT_HANDLE remote_handle = NULL; void *buf; + DWORD err = ERROR_SUCCESS; ch = flb_calloc(1, sizeof(struct winevtlog_channel)); if (ch == NULL) { @@ -78,17 +106,40 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis flags |= EvtSubscribeToFutureEvents; } + if (session != NULL) { + remote_handle = create_remote_handle(session, &err); + if (err != ERROR_SUCCESS) { + flb_error("[in_winevtlog] cannot create remote handle '%s' in %ls (%i)", + channel, session->server, err); + flb_free(ch->name); + if (ch->query != NULL) { + flb_free(ch->query); + } + flb_free(ch); + return NULL; + } + + flb_debug("[in_winevtlog] created a remote handle for '%s' in %ls", + channel, session->server); + ch->session = session; + ch->remote = remote_handle; + } + /* The wide_query parameter can handle NULL as `*` for retrieving all events. * ref. https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe */ - ch->subscription = EvtSubscribe(NULL, signal_event, wide_channel, wide_query, + ch->subscription = EvtSubscribe(remote_handle, signal_event, wide_channel, wide_query, stored_bookmark, NULL, NULL, flags); + err = GetLastError(); if (!ch->subscription) { - flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, GetLastError()); + flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, err); flb_free(ch->name); if (ch->query != NULL) { flb_free(ch->query); } + if (ch->remote) { + EvtClose(ch->remote); + } flb_free(ch); return NULL; } @@ -106,6 +157,9 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis if (ch->subscription) { EvtClose(ch->subscription); } + if (ch->remote) { + EvtClose(ch->remote); + } if (signal_event) { CloseHandle(signal_event); } @@ -141,6 +195,10 @@ static void close_handles(struct winevtlog_channel *ch) EvtClose(ch->subscription); ch->subscription = NULL; } + if (ch->remote) { + EvtClose(ch->remote); + ch->remote = NULL; + } if (ch->signal_event) { CloseHandle(ch->signal_event); ch->signal_event = NULL; @@ -674,7 +732,8 @@ struct mk_list *winevtlog_open_all(const char *channels, struct winevtlog_config channel = strtok_s(tmp , ",", &state); while (channel) { - ch = winevtlog_subscribe(channel, ctx->read_existing_events, NULL, ctx->event_query); + ch = winevtlog_subscribe(channel, ctx->read_existing_events, NULL, ctx->event_query, + ctx->session); if (ch) { mk_list_add(&ch->_head, list); } @@ -809,13 +868,14 @@ int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db) bookmark = EvtCreateBookmark(bookmark_xml); if (bookmark) { /* re-create subscription handles */ - re_ch = winevtlog_subscribe(ch->name, FLB_FALSE, bookmark, ch->query); + re_ch = winevtlog_subscribe(ch->name, FLB_FALSE, bookmark, ch->query, ch->session); if (re_ch != NULL) { close_handles(ch); ch->bookmark = re_ch->bookmark; ch->subscription = re_ch->subscription; ch->signal_event = re_ch->signal_event; + ch->session = re_ch->session; } else { flb_error("Failed to subscribe with bookmark XML: %s\n", record.bookmark_xml); diff --git a/plugins/in_winevtlog/winevtlog.h b/plugins/in_winevtlog/winevtlog.h index 20b5749d6a3..d6054a0aeb3 100644 --- a/plugins/in_winevtlog/winevtlog.h +++ b/plugins/in_winevtlog/winevtlog.h @@ -24,6 +24,8 @@ #include #include +struct winevtlog_session; + struct winevtlog_config { unsigned int interval_sec; unsigned int interval_nsec; @@ -34,6 +36,11 @@ struct winevtlog_config { int use_ansi; int ignore_missing_channels; flb_sds_t event_query; + flb_sds_t remote_server; + flb_sds_t remote_domain; + flb_sds_t remote_username; + flb_sds_t remote_password; + struct winevtlog_session *session; struct mk_list *active_channel; struct flb_sqldb *db; @@ -50,9 +57,11 @@ struct winevtlog_config { struct winevtlog_channel { EVT_HANDLE subscription; EVT_HANDLE bookmark; + EVT_HANDLE remote; HANDLE signal_event; EVT_HANDLE events[SUBSCRIBE_ARRAY_SIZE]; int count; + struct winevtlog_session *session; char *name; char *query; @@ -61,6 +70,19 @@ struct winevtlog_channel { struct mk_list _head; }; +#define WINEVTLOG_SESSION_CREATE_OK 0 +#define WINEVTLOG_SESSION_ALLOC_FAILED 1 +#define WINEVTLOG_SESSION_SERVER_EMPTY 2 +#define WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE 3 + +struct winevtlog_session { + PWSTR server; + PWSTR domain; + PWSTR username; + PWSTR password; + EVT_RPC_LOGIN_FLAGS flags; +}; + struct winevtlog_sqlite_record { char *name; char *bookmark_xml; From e75b7234cc5dfa35000558f6acf5117f47ba1fdb Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 21 May 2025 11:31:28 +0900 Subject: [PATCH 2/4] in_winevtlog: Suppress warnings Signed-off-by: Hiroshi Hatake --- plugins/in_winevtlog/in_winevtlog.c | 2 +- plugins/in_winevtlog/pack.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/in_winevtlog/in_winevtlog.c b/plugins/in_winevtlog/in_winevtlog.c index 019585105fd..e50662e00f1 100644 --- a/plugins/in_winevtlog/in_winevtlog.c +++ b/plugins/in_winevtlog/in_winevtlog.c @@ -177,7 +177,7 @@ static int in_winevtlog_init(struct flb_input_instance *in, flb_plg_error(in, "could not initialize event encoder"); flb_free(ctx); - return NULL; + return -1; } /* Load the config map */ diff --git a/plugins/in_winevtlog/pack.c b/plugins/in_winevtlog/pack.c index 734839e30f3..a9fd104ad9c 100644 --- a/plugins/in_winevtlog/pack.c +++ b/plugins/in_winevtlog/pack.c @@ -34,7 +34,7 @@ static int pack_nullstr(struct winevtlog_config *ctx) { - flb_log_event_encoder_append_body_cstring(ctx->log_encoder, ""); + return flb_log_event_encoder_append_body_cstring(ctx->log_encoder, ""); } static int pack_wstr(struct winevtlog_config *ctx, const wchar_t *wstr) @@ -314,6 +314,8 @@ static int pack_sid(struct winevtlog_config *ctx, PSID sid, int extract_sid) _snprintf_s(formatted, result_len, _TRUNCATE, "%s\\%s", domain, account); + size = strlen(formatted); + if (size > 0) { flb_log_event_encoder_append_body_cstring(ctx->log_encoder, formatted); From e2eec7baf48bc0943fc101902edfafaa68a457ae Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 21 May 2025 13:43:16 +0900 Subject: [PATCH 3/4] in_winevtlog: Address comments Signed-off-by: Hiroshi Hatake --- plugins/in_winevtlog/in_winevtlog.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/in_winevtlog/in_winevtlog.c b/plugins/in_winevtlog/in_winevtlog.c index e50662e00f1..08247f760e2 100644 --- a/plugins/in_winevtlog/in_winevtlog.c +++ b/plugins/in_winevtlog/in_winevtlog.c @@ -65,7 +65,7 @@ static wchar_t* convert_to_wide(char *str) return buf; } -static void in_winevtlog_session_destory(struct winevtlog_session *session); +static void in_winevtlog_session_destroy(struct winevtlog_session *session); static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_config *ctx, struct flb_config *config, @@ -90,7 +90,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co if (ctx->remote_server != NULL) { session->server = convert_to_wide(ctx->remote_server); if (session->server == NULL) { - in_winevtlog_session_destory(session); + in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; return NULL; } @@ -99,7 +99,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co if (ctx->remote_domain != NULL) { session->domain = convert_to_wide(ctx->remote_domain); if (session->domain == NULL) { - in_winevtlog_session_destory(session); + in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; return NULL; } @@ -108,7 +108,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co if (ctx->remote_username != NULL) { session->username = convert_to_wide(ctx->remote_username); if (session->username == NULL) { - in_winevtlog_session_destory(session); + in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; return NULL; } @@ -117,7 +117,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co if (ctx->remote_password != NULL) { session->password = convert_to_wide(ctx->remote_password); if (session->password == NULL) { - in_winevtlog_session_destory(session); + in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; return NULL; } @@ -129,7 +129,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co return session; } -static void in_winevtlog_session_destory(struct winevtlog_session *session) +static void in_winevtlog_session_destroy(struct winevtlog_session *session) { if (session->server != NULL) { flb_free(session->server); @@ -192,11 +192,11 @@ static int in_winevtlog_init(struct flb_input_instance *in, session = in_winevtlog_session_create(ctx, config, &status); if (status == WINEVTLOG_SESSION_ALLOC_FAILED || status == WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE) { - flb_plg_error(in, "session is not created and invalid with %d", status); + flb_plg_error(in, "session is not created and invalid with status %d", status); return -1; } else if (session == NULL) { - flb_plg_debug(in, "session is not created. Connect to local machine."); + flb_plg_debug(in, "connect to local machine"); } ctx->session = session; @@ -364,7 +364,7 @@ static int in_winevtlog_exit(void *data, struct flb_config *config) flb_sqldb_close(ctx->db); } if (ctx->session) { - in_winevtlog_session_destory(ctx->session); + in_winevtlog_session_destroy(ctx->session); } flb_free(ctx); From 276ec47a9503f97a03891649280744f81790a745 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Thu, 22 May 2025 02:07:15 +0900 Subject: [PATCH 4/4] in_winevtlog: Use flb_plg_ style of log functions Signed-off-by: Hiroshi Hatake --- plugins/in_winevtlog/in_winevtlog.c | 19 ++++++++--------- plugins/in_winevtlog/winevtlog.c | 33 ++++++++++++++++------------- plugins/in_winevtlog/winevtlog.h | 5 +++-- 3 files changed, 30 insertions(+), 27 deletions(-) diff --git a/plugins/in_winevtlog/in_winevtlog.c b/plugins/in_winevtlog/in_winevtlog.c index 08247f760e2..a187a189fad 100644 --- a/plugins/in_winevtlog/in_winevtlog.c +++ b/plugins/in_winevtlog/in_winevtlog.c @@ -19,7 +19,6 @@ */ #include -#include #include #include #include @@ -36,7 +35,7 @@ static int in_winevtlog_collect(struct flb_input_instance *ins, struct flb_config *config, void *in_context); -static wchar_t* convert_to_wide(char *str) +static wchar_t* convert_to_wide(struct winevtlog_config *ctx, char *str) { int size = 0; wchar_t *buf = NULL; @@ -45,7 +44,7 @@ static wchar_t* convert_to_wide(char *str) size = MultiByteToWideChar(CP_UTF8, 0, str, -1, NULL, 0); if (size == 0) { err = GetLastError(); - flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err); + flb_plg_error(ctx->ins, "Failed MultiByteToWideChar with error code (%d)", err); return NULL; } @@ -57,7 +56,7 @@ static wchar_t* convert_to_wide(char *str) size = MultiByteToWideChar(CP_UTF8, 0, str, -1, buf, size); if (size == 0) { err = GetLastError(); - flb_error("[in_winevtlog] Failed MultiByteToWideChar with error code (%d)", err); + flb_plg_error(ctx->ins, "Failed MultiByteToWideChar with error code (%d)", err); flb_free(buf); return NULL; } @@ -88,7 +87,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co } if (ctx->remote_server != NULL) { - session->server = convert_to_wide(ctx->remote_server); + session->server = convert_to_wide(ctx, ctx->remote_server); if (session->server == NULL) { in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; @@ -97,7 +96,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co } if (ctx->remote_domain != NULL) { - session->domain = convert_to_wide(ctx->remote_domain); + session->domain = convert_to_wide(ctx, ctx->remote_domain); if (session->domain == NULL) { in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; @@ -106,7 +105,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co } if (ctx->remote_username != NULL) { - session->username = convert_to_wide(ctx->remote_username); + session->username = convert_to_wide(ctx, ctx->remote_username); if (session->username == NULL) { in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; @@ -115,7 +114,7 @@ static struct winevtlog_session *in_winevtlog_session_create(struct winevtlog_co } if (ctx->remote_password != NULL) { - session->password = convert_to_wide(ctx->remote_password); + session->password = convert_to_wide(ctx, ctx->remote_password); if (session->password == NULL) { in_winevtlog_session_destroy(session); *status = WINEVTLOG_SESSION_FAILED_TO_CONVERT_WIDE; @@ -268,7 +267,7 @@ static int in_winevtlog_init(struct flb_input_instance *in, mk_list_foreach(head, ctx->active_channel) { ch = mk_list_entry(head, struct winevtlog_channel, _head); - winevtlog_sqlite_load(ch, ctx->db); + winevtlog_sqlite_load(ch, ctx, ctx->db); flb_plg_debug(ctx->ins, "load channel<%s time=%u>", ch->name, ch->time_created); } @@ -310,7 +309,7 @@ static int in_winevtlog_read_channel(struct flb_input_instance *ins, ch->time_updated = time(NULL); flb_plg_debug(ctx->ins, "save channel<%s time=%u>", ch->name, ch->time_updated); - winevtlog_sqlite_save(ch, ctx->db); + winevtlog_sqlite_save(ch, ctx, ctx->db); } if (ctx->log_encoder->output_length > 0) { diff --git a/plugins/in_winevtlog/winevtlog.c b/plugins/in_winevtlog/winevtlog.c index 0c0e49ab0c8..8f46b11d940 100644 --- a/plugins/in_winevtlog/winevtlog.c +++ b/plugins/in_winevtlog/winevtlog.c @@ -55,7 +55,7 @@ create_remote_handle(struct winevtlog_session *session, DWORD *error_code) return remote; } -struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_existing_events, +struct winevtlog_channel *winevtlog_subscribe(const char *channel, struct winevtlog_config *ctx, EVT_HANDLE stored_bookmark, const char *query, struct winevtlog_session *session) { @@ -100,7 +100,7 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis if (stored_bookmark) { flags |= EvtSubscribeStartAfterBookmark; - } else if (read_existing_events) { + } else if (ctx->read_existing_events) { flags |= EvtSubscribeStartAtOldestRecord; } else { flags |= EvtSubscribeToFutureEvents; @@ -109,7 +109,7 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis if (session != NULL) { remote_handle = create_remote_handle(session, &err); if (err != ERROR_SUCCESS) { - flb_error("[in_winevtlog] cannot create remote handle '%s' in %ls (%i)", + flb_plg_error(ctx->ins, "cannot create remote handle '%s' in %ls (%i)", channel, session->server, err); flb_free(ch->name); if (ch->query != NULL) { @@ -119,7 +119,7 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis return NULL; } - flb_debug("[in_winevtlog] created a remote handle for '%s' in %ls", + flb_plg_debug(ctx->ins, "created a remote handle for '%s' in %ls", channel, session->server); ch->session = session; ch->remote = remote_handle; @@ -132,7 +132,7 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis stored_bookmark, NULL, NULL, flags); err = GetLastError(); if (!ch->subscription) { - flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, err); + flb_plg_error(ctx->ins, "cannot subscribe '%s' (%i)", channel, err); flb_free(ch->name); if (ch->query != NULL) { flb_free(ch->query); @@ -163,7 +163,7 @@ struct winevtlog_channel *winevtlog_subscribe(const char *channel, int read_exis if (signal_event) { CloseHandle(signal_event); } - flb_error("[in_winevtlog] cannot subscribe '%s' (%i)", channel, GetLastError()); + flb_plg_error(ctx->ins, "cannot subscribe '%s' (%i)", channel, GetLastError()); flb_free(wide_channel); flb_free(ch->name); if (ch->query != NULL) { @@ -732,7 +732,7 @@ struct mk_list *winevtlog_open_all(const char *channels, struct winevtlog_config channel = strtok_s(tmp , ",", &state); while (channel) { - ch = winevtlog_subscribe(channel, ctx->read_existing_events, NULL, ctx->event_query, + ch = winevtlog_subscribe(channel, ctx, NULL, ctx->event_query, ctx->session); if (ch) { mk_list_add(&ch->_head, list); @@ -839,7 +839,7 @@ static char* convert_wstr(wchar_t *wstr, UINT codePage) /* * Load the bookmark from SQLite DB. */ -int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db) +int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct winevtlog_config *ctx, struct flb_sqldb *db) { int ret; char query[1024]; @@ -868,7 +868,10 @@ int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db) bookmark = EvtCreateBookmark(bookmark_xml); if (bookmark) { /* re-create subscription handles */ - re_ch = winevtlog_subscribe(ch->name, FLB_FALSE, bookmark, ch->query, ch->session); + if (ctx) { + ctx->read_existing_events = FLB_FALSE; + } + re_ch = winevtlog_subscribe(ch->name, ctx, bookmark, ch->query, ch->session); if (re_ch != NULL) { close_handles(ch); @@ -878,12 +881,12 @@ int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db) ch->session = re_ch->session; } else { - flb_error("Failed to subscribe with bookmark XML: %s\n", record.bookmark_xml); + flb_plg_error(ctx->ins, "Failed to subscribe with bookmark XML: %s\n", record.bookmark_xml); ch->bookmark = EvtCreateBookmark(NULL); } } else { - flb_error("Failed to load bookmark XML with %d\n", GetLastError()); + flb_plg_error(ctx->ins, "Failed to load bookmark XML with %d\n", GetLastError()); ch->bookmark = EvtCreateBookmark(NULL); } } @@ -897,7 +900,7 @@ int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db) /* * Save the bookmark into SQLite DB. */ -int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct flb_sqldb *db) +int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct winevtlog_config *ctx, struct flb_sqldb *db) { int ret; char query[1024]; @@ -907,14 +910,14 @@ int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct flb_sqldb *db) wide_bookmark_xml = render_event(ch->bookmark, EvtRenderBookmark, &used_size); if (wide_bookmark_xml == NULL) { - flb_error("failed to render bookmark with %d", GetLastError()); + flb_plg_error(ctx->ins, "failed to render bookmark with %d", GetLastError()); flb_free(wide_bookmark_xml); return -1; } bookmark_xml = convert_wstr(wide_bookmark_xml, CP_UTF8); if (bookmark_xml == NULL) { - flb_error("failed to convert Wider string with %d", GetLastError()); + flb_plg_error(ctx->ins, "failed to convert Wider string with %d", GetLastError()); flb_free(wide_bookmark_xml); flb_free(bookmark_xml); @@ -926,7 +929,7 @@ int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct flb_sqldb *db) ret = flb_sqldb_query(db, query, NULL, NULL); if (ret == FLB_ERROR) { - flb_error("failed to save db with %d", GetLastError()); + flb_plg_error(ctx->ins, "failed to save db with %d", GetLastError()); flb_free(wide_bookmark_xml); flb_free(bookmark_xml); diff --git a/plugins/in_winevtlog/winevtlog.h b/plugins/in_winevtlog/winevtlog.h index d6054a0aeb3..7b55698a99a 100644 --- a/plugins/in_winevtlog/winevtlog.h +++ b/plugins/in_winevtlog/winevtlog.h @@ -23,6 +23,7 @@ #include #include +#include struct winevtlog_session; @@ -120,8 +121,8 @@ void winevtlog_pack_event(PEVT_VARIANT system, WCHAR *message, /* * Save the read offset to disk. */ -int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct flb_sqldb *db); -int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct flb_sqldb *db); +int winevtlog_sqlite_load(struct winevtlog_channel *ch, struct winevtlog_config *ctx, struct flb_sqldb *db); +int winevtlog_sqlite_save(struct winevtlog_channel *ch, struct winevtlog_config *ctx, struct flb_sqldb *db); /* * SQL templates