diff options
Diffstat (limited to 'fluent-bit/plugins/in_winevtlog/in_winevtlog.c')
-rw-r--r-- | fluent-bit/plugins/in_winevtlog/in_winevtlog.c | 279 |
1 files changed, 279 insertions, 0 deletions
diff --git a/fluent-bit/plugins/in_winevtlog/in_winevtlog.c b/fluent-bit/plugins/in_winevtlog/in_winevtlog.c new file mode 100644 index 00000000..60c5bcec --- /dev/null +++ b/fluent-bit/plugins/in_winevtlog/in_winevtlog.c @@ -0,0 +1,279 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ + +/* Fluent Bit + * ========== + * Copyright (C) 2019-2021 The Fluent Bit Authors + * Copyright (C) 2015-2018 Treasure Data Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <fluent-bit/flb_compat.h> +#include <fluent-bit/flb_input_plugin.h> +#include <fluent-bit/flb_kernel.h> +#include <fluent-bit/flb_pack.h> +#include <fluent-bit/flb_utils.h> +#include <fluent-bit/flb_sqldb.h> +#include "winevtlog.h" + +#define DEFAULT_INTERVAL_SEC 1 +#define DEFAULT_INTERVAL_NSEC 0 +#define DEFAULT_THRESHOLD_SIZE 0x7ffff /* Default reading buffer size (512kb) */ + +static int in_winevtlog_collect(struct flb_input_instance *ins, + struct flb_config *config, void *in_context); + +static int in_winevtlog_init(struct flb_input_instance *in, + struct flb_config *config, void *data) +{ + int ret; + const char *tmp; + int read_existing_events = FLB_FALSE; + struct mk_list *head; + struct winevtlog_channel *ch; + struct winevtlog_config *ctx; + + /* Initialize context */ + ctx = flb_calloc(1, sizeof(struct winevtlog_config)); + if (ctx == NULL) { + flb_errno(); + return -1; + } + ctx->ins = in; + + ctx->log_encoder = flb_log_event_encoder_create(FLB_LOG_EVENT_FORMAT_DEFAULT); + + if (ctx->log_encoder == NULL) { + flb_plg_error(in, "could not initialize event encoder"); + flb_free(ctx); + + return NULL; + } + + /* Load the config map */ + ret = flb_input_config_map_set(in, (void *) ctx); + if (ret == -1) { + flb_log_event_encoder_destroy(ctx->log_encoder); + flb_free(ctx); + return -1; + } + + /* Set up total reading size threshold */ + ctx->total_size_threshold = DEFAULT_THRESHOLD_SIZE; + + /* Open channels */ + tmp = flb_input_get_property("channels", in); + if (!tmp) { + flb_plg_debug(ctx->ins, "no channel provided. listening to 'Application'"); + tmp = "Application"; + } + + ctx->active_channel = winevtlog_open_all(tmp, ctx); + if (!ctx->active_channel) { + flb_plg_error(ctx->ins, "failed to open channels"); + flb_log_event_encoder_destroy(ctx->log_encoder); + flb_free(ctx); + return -1; + } + + /* Initialize SQLite DB (optional) */ + tmp = flb_input_get_property("db", in); + if (tmp) { + ctx->db = flb_sqldb_open(tmp, in->name, config); + if (!ctx->db) { + flb_plg_error(ctx->ins, "could not open/create database"); + winevtlog_close_all(ctx->active_channel); + flb_log_event_encoder_destroy(ctx->log_encoder); + flb_free(ctx); + return -1; + } + + ret = flb_sqldb_query(ctx->db, SQL_CREATE_CHANNELS, NULL, NULL); + if (ret != FLB_OK) { + flb_plg_error(ctx->ins, "could not create 'channels' table"); + flb_sqldb_close(ctx->db); + winevtlog_close_all(ctx->active_channel); + flb_log_event_encoder_destroy(ctx->log_encoder); + flb_free(ctx); + return -1; + } + + mk_list_foreach(head, ctx->active_channel) { + ch = mk_list_entry(head, struct winevtlog_channel, _head); + winevtlog_sqlite_load(ch, ctx->db); + flb_plg_debug(ctx->ins, "load channel<%s time=%u>", + ch->name, ch->time_created); + } + } + + /* Set the context */ + flb_input_set_context(in, ctx); + + /* Set the collector */ + ret = flb_input_set_collector_time(in, + in_winevtlog_collect, + ctx->interval_sec, + ctx->interval_nsec, + config); + if (ret == -1) { + flb_plg_error(ctx->ins, "could not set up a collector"); + } + ctx->coll_fd = ret; + + return 0; +} + +static int in_winevtlog_read_channel(struct flb_input_instance *ins, + struct winevtlog_config *ctx, + struct winevtlog_channel *ch) +{ + unsigned int read; + + if (winevtlog_read(ch, ctx, &read)) { + flb_plg_error(ctx->ins, "failed to read '%s'", ch->name); + return -1; + } + if (read == 0) { + return 0; + } + flb_plg_debug(ctx->ins, "read %u bytes from '%s'", read, ch->name); + + if (ctx->db) { + ch->time_updated = time(NULL); + flb_plg_debug(ctx->ins, "save channel<%s time=%u>", + ch->name, ch->time_updated); + winevtlog_sqlite_save(ch, ctx->db); + } + + if (ctx->log_encoder->output_length > 0) { + flb_input_log_append(ctx->ins, NULL, 0, + ctx->log_encoder->output_buffer, + ctx->log_encoder->output_length); + } + + flb_log_event_encoder_reset(ctx->log_encoder); + + return 0; +} + +static int in_winevtlog_collect(struct flb_input_instance *ins, + struct flb_config *config, void *in_context) +{ + struct winevtlog_config *ctx = in_context; + struct mk_list *head; + struct winevtlog_channel *ch; + + mk_list_foreach(head, ctx->active_channel) { + ch = mk_list_entry(head, struct winevtlog_channel, _head); + in_winevtlog_read_channel(ins, ctx, ch); + } + return 0; +} + +static void in_winevtlog_pause(void *data, struct flb_config *config) +{ + struct winevtlog_config *ctx = data; + flb_input_collector_pause(ctx->coll_fd, ctx->ins); +} + +static void in_winevtlog_resume(void *data, struct flb_config *config) +{ + struct winevtlog_config *ctx = data; + flb_input_collector_resume(ctx->coll_fd, ctx->ins); +} + +static int in_winevtlog_exit(void *data, struct flb_config *config) +{ + struct winevtlog_config *ctx = data; + + if (!ctx) { + return 0; + } + + winevtlog_close_all(ctx->active_channel); + + if (ctx->db) { + flb_sqldb_close(ctx->db); + } + flb_free(ctx); + + return 0; +} + +static struct flb_config_map config_map[] = { + { + FLB_CONFIG_MAP_STR, "channels", NULL, + 0, FLB_FALSE, 0, + "Specify a comma-separated list of channels to read from" + }, + { + FLB_CONFIG_MAP_STR, "db", NULL, + 0, FLB_FALSE, 0, + "Specify DB file to save read offsets" + }, + { + FLB_CONFIG_MAP_TIME, "interval_sec", "1s", + 0, FLB_TRUE, offsetof(struct winevtlog_config, interval_sec), + "Set the polling interval for each channel" + }, + { + FLB_CONFIG_MAP_INT, "interval_nsec", "0", + 0, FLB_TRUE, offsetof(struct winevtlog_config, interval_nsec), + "Set the polling interval for each channel (sub seconds)" + }, + { + FLB_CONFIG_MAP_BOOL, "string_inserts", "true", + 0, FLB_TRUE, offsetof(struct winevtlog_config, string_inserts), + "Whether to include StringInserts in output records" + }, + { + FLB_CONFIG_MAP_BOOL, "read_existing_events", "false", + 0, FLB_TRUE, offsetof(struct winevtlog_config, read_existing_events), + "Whether to consume at oldest records in channels" + }, + { + FLB_CONFIG_MAP_BOOL, "render_event_as_xml", "false", + 0, FLB_TRUE, offsetof(struct winevtlog_config, render_event_as_xml), + "Whether to consume at oldest records in channels" + }, + { + FLB_CONFIG_MAP_BOOL, "use_ansi", "false", + 0, FLB_TRUE, offsetof(struct winevtlog_config, use_ansi), + "Use ANSI encoding on eventlog messages" + }, + { + FLB_CONFIG_MAP_BOOL, "ignore_missing_channels", "false", + 0, FLB_TRUE, offsetof(struct winevtlog_config, ignore_missing_channels), + "Whether to ignore channels missing in eventlog" + }, + { + FLB_CONFIG_MAP_STR, "event_query", "*", + 0, FLB_TRUE, offsetof(struct winevtlog_config, event_query), + "Specify XML query for filtering events" + }, + /* EOF */ + {0} +}; + +struct flb_input_plugin in_winevtlog_plugin = { + .name = "winevtlog", + .description = "Windows EventLog using winevt.h API", + .cb_init = in_winevtlog_init, + .cb_pre_run = NULL, + .cb_collect = in_winevtlog_collect, + .cb_flush_buf = NULL, + .cb_pause = in_winevtlog_pause, + .cb_resume = in_winevtlog_resume, + .cb_exit = in_winevtlog_exit, + .config_map = config_map +}; |