Beispiel #1
0
func (eb *Winlogbeat) Run(b *beat.Beat) error {
	// TODO: Persist last published RecordNumber for each event log so that
	// when restarted, winlogbeat resumes from the last read event. This should
	// provide at-least-once publish semantics.

	// Initialize metrics.
	publishedEvents.Add("total", 0)
	publishedEvents.Add("failures", 0)
	ignoredEvents.Add("total", 0)

	var wg sync.WaitGroup

	// TODO: If no event_logs are specified in the configuration, use the
	// Windows registry to discover the available event logs.
	for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
		debugf("Initializing EventLog[%s]", eventLogConfig.Name)

		eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
		eb.eventLogs = append(eb.eventLogs, eventLogAPI)
		ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)

		// Initialize per event log metrics.
		publishedEvents.Add(eventLogConfig.Name, 0)
		ignoredEvents.Add(eventLogConfig.Name, 0)

		// Start a goroutine for each event log.
		wg.Add(1)
		go eb.processEventLog(&wg, eventLogAPI, ignoreOlder)
	}

	wg.Wait()
	return nil
}
Beispiel #2
0
func (eb *Winlogbeat) Run(b *beat.Beat) error {
	persistedState := eb.checkpoint.States()

	// Initialize metrics.
	publishedEvents.Add("total", 0)
	publishedEvents.Add("failures", 0)
	ignoredEvents.Add("total", 0)

	var wg sync.WaitGroup

	// TODO: If no event_logs are specified in the configuration, use the
	// Windows registry to discover the available event logs.
	for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
		debugf("Initializing EventLog[%s]", eventLogConfig.Name)

		eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
		eb.eventLogs = append(eb.eventLogs, eventLogAPI)
		state, _ := persistedState[eventLogConfig.Name]
		ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)

		// Initialize per event log metrics.
		publishedEvents.Add(eventLogConfig.Name, 0)
		ignoredEvents.Add(eventLogConfig.Name, 0)

		// Start a goroutine for each event log.
		wg.Add(1)
		go eb.processEventLog(&wg, eventLogAPI, state, ignoreOlder)
	}

	wg.Wait()
	eb.checkpoint.Shutdown()
	return nil
}
Beispiel #3
0
func (eb *Winlogbeat) Run(b *beat.Beat) error {
	// TODO: Persist last published RecordNumber for each event log so that
	// when restarted, winlogbeat resumes from the last read event. This should
	// provide at-least-once publish semantics.

	publishedEvents.Add("total", 0)
	ignoredEvents.Add("total", 0)

	var wg sync.WaitGroup

	// TODO: If no event_logs are specified in the configuration, use the
	// Windows registry to discover the available event logs.
	for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
		logp.Debug("winlogbeat", "Creating event log for %s.",
			eventLogConfig.Name)
		eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
		ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)
		eb.eventLogs = append(eb.eventLogs, eventLogAPI)
		publishedEvents.Add(eventLogConfig.Name, 0)
		publishedEvents.Add("failures", 0)
		ignoredEvents.Add(eventLogConfig.Name, 0)

		go func(api eventlog.EventLoggingAPI, ignoreOlder time.Duration) {
			err := api.Open(0)
			if err != nil {
				logp.Warn("EventLog[%s] Open() error: %v", api.Name(), err)
				wg.Done()
				return
			}
			defer api.Close()

			logp.Debug("winlogbeat", "EventLog[%s] opened successfully",
				api.Name())

			for !eb.stop.Get() {
				records, err := api.Read()
				if err != nil {
					logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
					break
				}

				logp.Debug("winlogbeat", "EventLog[%s] Read() returned %d "+
					"records.", api.Name(), len(records))
				if len(records) == 0 {
					time.Sleep(time.Second)
					continue
				}

				var events []common.MapStr
				for _, lr := range records {
					// TODO: Move filters close to source. Short circuit processing
					// of event if it is going to be filtered.
					// TODO: Add a severity filter.
					// TODO: Check the global IgnoreOlder filter.
					if ignoreOlder != 0 && time.Since(lr.TimeGenerated) > ignoreOlder {
						logp.Debug("winlogbeat", "ignoreOlder filter dropping "+
							"event: %s", lr.String())
						ignoredEvents.Add("total", 1)
						ignoredEvents.Add(api.Name(), 1)
						continue
					}

					events = append(events, lr.ToMapStr())
				}

				numEvents := int64(len(events))
				ok := eb.client.PublishEvents(events, publisher.Sync)
				if ok {
					publishedEvents.Add("total", numEvents)
					publishedEvents.Add(api.Name(), numEvents)
					logp.Debug("winlogbeat", "EvengLog[%s] Successfully "+
						"published %d events.", api.Name(), numEvents)
				} else {
					logp.Warn("winlogbeat", "EventLog[%s] Failed to publish %d "+
						"events.", api.Name(), numEvents)
					publishedEvents.Add("failures", 1)
				}
			}

			wg.Done()
		}(eventLogAPI, ignoreOlder)

		wg.Add(1)
	}

	wg.Wait()
	return nil
}