func (eb *Winlogbeat) processEventLog(
wg *sync.WaitGroup,
api eventlog.EventLog,
state checkpoint.EventLogState,
) {
defer wg.Done()
err := api.Open(state.RecordNumber)
if err != nil {
logp.Warn("EventLog[%s] Open() error. No events will be read from "+
"this source. %v", api.Name(), err)
return
}
defer func() {
logp.Info("EventLog[%s] Stop processing.", api.Name())
if err := api.Close(); err != nil {
logp.Warn("EventLog[%s] Close() error. %v", api.Name(), err)
return
}
}()
debugf("EventLog[%s] opened successfully", api.Name())
for {
select {
case <-eb.done:
return
default:
}
// Read from the event.
records, err := api.Read()
if err != nil {
logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
break
}
debugf("EventLog[%s] Read() returned %d records", api.Name(), len(records))
if len(records) == 0 {
// TODO: Consider implementing notifications using
// NotifyChangeEventLog instead of polling.
time.Sleep(time.Second)
continue
}
events := make([]common.MapStr, 0, len(records))
for _, lr := range records {
events = append(events, lr.ToMapStr())
}
// Publish events.
numEvents := int64(len(events))
ok := eb.client.PublishEvents(events, publisher.Sync, publisher.Guaranteed)
if !ok {
// due to using Sync and Guaranteed the ok will only be false on shutdown.
// Do not update the internal state and return in this case
return
}
publishedEvents.Add("total", numEvents)
publishedEvents.Add(api.Name(), numEvents)
logp.Info("EventLog[%s] Successfully published %d events",
api.Name(), numEvents)
eb.checkpoint.Persist(api.Name(),
records[len(records)-1].RecordID,
records[len(records)-1].TimeCreated.SystemTime.UTC())
}
}
func (eb *Winlogbeat) processEventLog(
wg *sync.WaitGroup,
api eventlog.EventLog,
state checkpoint.EventLogState,
ignoreOlder time.Duration,
) {
defer wg.Done()
err := api.Open(state.RecordNumber)
if err != nil {
logp.Warn("EventLog[%s] Open() error. No events will be read from "+
"this source. %v", api.Name(), err)
return
}
defer func() {
err := api.Close()
if err != nil {
logp.Warn("EventLog[%s] Close() error. %v", api.Name(), err)
return
}
}()
debugf("EventLog[%s] opened successfully", api.Name())
loop:
for {
select {
case <-eb.done:
break loop
default:
}
// Read from the event.
records, err := api.Read()
if err != nil {
logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
break
}
debugf("EventLog[%s] Read() returned %d records", api.Name(), len(records))
if len(records) == 0 {
// TODO: Consider implementing notifications using
// NotifyChangeEventLog instead of polling.
time.Sleep(time.Second)
continue
}
// Filter events.
var events []common.MapStr
for _, lr := range records {
// TODO: Move filters close to source. Short circuit processing
// of event if it is going to be filtered.
// TODO: Add a severity filter.
// TODO: Check the global IgnoreOlder filter.
if ignoreOlder != 0 && time.Since(lr.TimeGenerated) > ignoreOlder {
detailf("EventLog[%s] ignore_older filter dropping event: %s",
api.Name(), lr.String())
ignoredEvents.Add("total", 1)
ignoredEvents.Add(api.Name(), 1)
continue
}
events = append(events, lr.ToMapStr())
}
// Publish events.
numEvents := int64(len(events))
ok := eb.client.PublishEvents(events, publisher.Sync)
if ok {
publishedEvents.Add("total", numEvents)
publishedEvents.Add(api.Name(), numEvents)
logp.Info("EventLog[%s] Successfully published %d events",
api.Name(), numEvents)
} else {
logp.Warn("EventLog[%s] Failed to publish %d events",
api.Name(), numEvents)
publishedEvents.Add("failures", 1)
}
eb.checkpoint.Persist(api.Name(),
records[len(records)-1].RecordNumber,
records[len(records)-1].TimeGenerated.UTC())
}
}