func (eb *Winlogbeat) Run(b *beat.Beat) error {
// TODO: Persist last published RecordNumber for each event log so that
// when restarted, winlogbeat resumes from the last read event. This should
// provide at-least-once publish semantics.
// Initialize metrics.
publishedEvents.Add("total", 0)
publishedEvents.Add("failures", 0)
ignoredEvents.Add("total", 0)
var wg sync.WaitGroup
// TODO: If no event_logs are specified in the configuration, use the
// Windows registry to discover the available event logs.
for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
debugf("Initializing EventLog[%s]", eventLogConfig.Name)
eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
eb.eventLogs = append(eb.eventLogs, eventLogAPI)
ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)
// Initialize per event log metrics.
publishedEvents.Add(eventLogConfig.Name, 0)
ignoredEvents.Add(eventLogConfig.Name, 0)
// Start a goroutine for each event log.
wg.Add(1)
go eb.processEventLog(&wg, eventLogAPI, ignoreOlder)
}
wg.Wait()
return nil
}
func (eb *Winlogbeat) Run(b *beat.Beat) error {
persistedState := eb.checkpoint.States()
// Initialize metrics.
publishedEvents.Add("total", 0)
publishedEvents.Add("failures", 0)
ignoredEvents.Add("total", 0)
var wg sync.WaitGroup
// TODO: If no event_logs are specified in the configuration, use the
// Windows registry to discover the available event logs.
for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
debugf("Initializing EventLog[%s]", eventLogConfig.Name)
eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
eb.eventLogs = append(eb.eventLogs, eventLogAPI)
state, _ := persistedState[eventLogConfig.Name]
ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)
// Initialize per event log metrics.
publishedEvents.Add(eventLogConfig.Name, 0)
ignoredEvents.Add(eventLogConfig.Name, 0)
// Start a goroutine for each event log.
wg.Add(1)
go eb.processEventLog(&wg, eventLogAPI, state, ignoreOlder)
}
wg.Wait()
eb.checkpoint.Shutdown()
return nil
}
func (eb *Winlogbeat) Run(b *beat.Beat) error {
// TODO: Persist last published RecordNumber for each event log so that
// when restarted, winlogbeat resumes from the last read event. This should
// provide at-least-once publish semantics.
publishedEvents.Add("total", 0)
ignoredEvents.Add("total", 0)
var wg sync.WaitGroup
// TODO: If no event_logs are specified in the configuration, use the
// Windows registry to discover the available event logs.
for _, eventLogConfig := range eb.config.Winlogbeat.EventLogs {
logp.Debug("winlogbeat", "Creating event log for %s.",
eventLogConfig.Name)
eventLogAPI := eventlog.NewEventLoggingAPI(eventLogConfig.Name)
ignoreOlder, _ := config.IgnoreOlderDuration(eventLogConfig.IgnoreOlder)
eb.eventLogs = append(eb.eventLogs, eventLogAPI)
publishedEvents.Add(eventLogConfig.Name, 0)
publishedEvents.Add("failures", 0)
ignoredEvents.Add(eventLogConfig.Name, 0)
go func(api eventlog.EventLoggingAPI, ignoreOlder time.Duration) {
err := api.Open(0)
if err != nil {
logp.Warn("EventLog[%s] Open() error: %v", api.Name(), err)
wg.Done()
return
}
defer api.Close()
logp.Debug("winlogbeat", "EventLog[%s] opened successfully",
api.Name())
for !eb.stop.Get() {
records, err := api.Read()
if err != nil {
logp.Warn("EventLog[%s] Read() error: %v", api.Name(), err)
break
}
logp.Debug("winlogbeat", "EventLog[%s] Read() returned %d "+
"records.", api.Name(), len(records))
if len(records) == 0 {
time.Sleep(time.Second)
continue
}
var events []common.MapStr
for _, lr := range records {
// TODO: Move filters close to source. Short circuit processing
// of event if it is going to be filtered.
// TODO: Add a severity filter.
// TODO: Check the global IgnoreOlder filter.
if ignoreOlder != 0 && time.Since(lr.TimeGenerated) > ignoreOlder {
logp.Debug("winlogbeat", "ignoreOlder filter dropping "+
"event: %s", lr.String())
ignoredEvents.Add("total", 1)
ignoredEvents.Add(api.Name(), 1)
continue
}
events = append(events, lr.ToMapStr())
}
numEvents := int64(len(events))
ok := eb.client.PublishEvents(events, publisher.Sync)
if ok {
publishedEvents.Add("total", numEvents)
publishedEvents.Add(api.Name(), numEvents)
logp.Debug("winlogbeat", "EvengLog[%s] Successfully "+
"published %d events.", api.Name(), numEvents)
} else {
logp.Warn("winlogbeat", "EventLog[%s] Failed to publish %d "+
"events.", api.Name(), numEvents)
publishedEvents.Add("failures", 1)
}
}
wg.Done()
}(eventLogAPI, ignoreOlder)
wg.Add(1)
}
wg.Wait()
return nil
}