Beispiel #1
0
func (eb *Winlogbeat) processEventLog(
	wg *sync.WaitGroup,
	api eventlog.EventLog,
	state checkpoint.EventLogState,
) {
	defer wg.Done()

	err := api.Open(state.RecordNumber)
	if err != nil {
		logp.Warn("EventLog[%s] Open() error. No events will be read from "+
			"this source. %v", api.Name(), err)
		return
	}
	defer func() {
		logp.Info("EventLog[%s] Stop processing.", api.Name())

		if err := api.Close(); err != nil {
			logp.Warn("EventLog[%s] Close() error. %v", api.Name(), err)
			return
		}
	}()

	debugf("EventLog[%s] opened successfully", api.Name())

	for {
		select {
		case <-eb.done:
			return
		default:
		}

		// Read from the event.
		records, err := api.Read()
		if err != nil {
			logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
			break
		}
		debugf("EventLog[%s] Read() returned %d records", api.Name(), len(records))
		if len(records) == 0 {
			// TODO: Consider implementing notifications using
			// NotifyChangeEventLog instead of polling.
			time.Sleep(time.Second)
			continue
		}

		events := make([]common.MapStr, 0, len(records))
		for _, lr := range records {
			events = append(events, lr.ToMapStr())
		}

		// Publish events.
		numEvents := int64(len(events))
		ok := eb.client.PublishEvents(events, publisher.Sync, publisher.Guaranteed)
		if !ok {
			// due to using Sync and Guaranteed the ok will only be false on shutdown.
			// Do not update the internal state and return in this case
			return
		}

		publishedEvents.Add("total", numEvents)
		publishedEvents.Add(api.Name(), numEvents)
		logp.Info("EventLog[%s] Successfully published %d events",
			api.Name(), numEvents)

		eb.checkpoint.Persist(api.Name(),
			records[len(records)-1].RecordID,
			records[len(records)-1].TimeCreated.SystemTime.UTC())
	}
}
Beispiel #2
0
func (eb *Winlogbeat) processEventLog(
	wg *sync.WaitGroup,
	api eventlog.EventLog,
	state checkpoint.EventLogState,
	ignoreOlder time.Duration,
) {
	defer wg.Done()

	err := api.Open(state.RecordNumber)
	if err != nil {
		logp.Warn("EventLog[%s] Open() error. No events will be read from "+
			"this source. %v", api.Name(), err)
		return
	}
	defer func() {
		err := api.Close()
		if err != nil {
			logp.Warn("EventLog[%s] Close() error. %v", api.Name(), err)
			return
		}
	}()

	debugf("EventLog[%s] opened successfully", api.Name())

loop:
	for {
		select {
		case <-eb.done:
			break loop
		default:
		}

		// Read from the event.
		records, err := api.Read()
		if err != nil {
			logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
			break
		}
		debugf("EventLog[%s] Read() returned %d records", api.Name(), len(records))
		if len(records) == 0 {
			// TODO: Consider implementing notifications using
			// NotifyChangeEventLog instead of polling.
			time.Sleep(time.Second)
			continue
		}

		// Filter events.
		var events []common.MapStr
		for _, lr := range records {
			// TODO: Move filters close to source. Short circuit processing
			// of event if it is going to be filtered.
			// TODO: Add a severity filter.
			// TODO: Check the global IgnoreOlder filter.
			if ignoreOlder != 0 && time.Since(lr.TimeGenerated) > ignoreOlder {
				detailf("EventLog[%s] ignore_older filter dropping event: %s",
					api.Name(), lr.String())
				ignoredEvents.Add("total", 1)
				ignoredEvents.Add(api.Name(), 1)
				continue
			}

			events = append(events, lr.ToMapStr())
		}

		// Publish events.
		numEvents := int64(len(events))
		ok := eb.client.PublishEvents(events, publisher.Sync)
		if ok {
			publishedEvents.Add("total", numEvents)
			publishedEvents.Add(api.Name(), numEvents)
			logp.Info("EventLog[%s] Successfully published %d events",
				api.Name(), numEvents)
		} else {
			logp.Warn("EventLog[%s] Failed to publish %d events",
				api.Name(), numEvents)
			publishedEvents.Add("failures", 1)
		}

		eb.checkpoint.Persist(api.Name(),
			records[len(records)-1].RecordNumber,
			records[len(records)-1].TimeGenerated.UTC())
	}
}