Skip to content

Add windows event id filtering to CWAgent #1737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from

Conversation

Paamicky
Copy link
Collaborator

@Paamicky Paamicky commented Jun 18, 2025

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to only collect specific and relevant logs to CloudWatch

Description of changes

  • Add Event ID filtering to the CWAgent Windows logs collection
  • Add rule for eventID validation
  • Add new files and moved some codes to new files to testing purposes

sample configuration of event ID filtering

  "logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "System",
            "event_ids": [4624, 4625, 4634],
            "log_group_name": "WindowsEventIds-Test",
            "log_stream_name": "{instance_id}"
          }
        ]
      }
    }
  }
}

Caution

This PR has a testing PR linked to here: aws/amazon-cloudwatch-agent-test#541, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

  • Added unit tests for event ID validation and processing
  • Manually tested on Windows to verify events are properly filtered by ID
  • Verified backward compatibility with existing configurations

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 3 times, most recently from b758b9e to 516df4e Compare June 20, 2025 16:09
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 516df4e to 2276ab2 Compare June 20, 2025 17:42
@Paamicky Paamicky marked this pull request as ready for review June 23, 2025 01:09
@Paamicky Paamicky requested a review from a team as a code owner June 23, 2025 01:09
@Paamicky Paamicky requested review from jefchien and okankoAMZ June 23, 2025 01:11
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 9d99660 to 2667175 Compare June 23, 2025 19:27
return utf16ToUTF8Bytes(renderBuf, bufferUsed)
}

func CreateBookmark(channel string, recordID uint64) (h EvtHandle, err error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we deleting this function can you explain in your PR description?

Copy link
Collaborator Author

@Paamicky Paamicky Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to a different file due to the windows build tags.


var NumberOfBytesPerCharacter = UnknownBytesPerCharacter

func RenderEventXML(eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay so you are moving into a different file. Please document that in your description

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright sure

if err != nil {
log.Panicf("Encode to a valid TOML config fails because of %v", err)
}
return buf.String()
}

// ensure integers in arrays are preserved
func processValue(val interface{}) interface{} {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we have some kind of validation and returning error here. With the current implementation it seems like this function could never fail, is this true?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah used a different approach to integer verification, reverted to original main code.

Comment on lines 14 to 15
// Process value to ensure integers in arrays are preserved
processedVal := processValue(val)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. There are some other integers that aren't mangled like log retention. I wonder why those work. Perhaps because they aren't in an array? We should understand why those integers don't require additional processing.

@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 5 times, most recently from ffba86e to a4bbe23 Compare June 24, 2025 20:47
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 2 times, most recently from 097c665 to dc6df12 Compare June 25, 2025 17:32
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from dc6df12 to 1ab8a1a Compare June 25, 2025 21:36
@Paamicky Paamicky changed the title Feature/windows event id filtering Add Windows event id filtering to CWAgent Jul 9, 2025
@Paamicky Paamicky changed the title Add Windows event id filtering to CWAgent Add windows event id filtering to CWAgent Jul 9, 2025
@@ -1,29 +1,18 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT

//go:build windows
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why was this removed?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed for unit testing purposes. I do major testing on the windows platform but decided to create to test out my query.

ind, err := strconv.Atoi(rawMessage[prevIndex+1:])
if searchingIndex && err == nil && ind <= len(evtDataValues) && ind > 0 {
sb.WriteString(evtDataValues[ind-1].Value)
//Ignore events older than 2 weeks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whats the reasoning for having a cut-off of 2 weeks?

Copy link
Collaborator Author

@Paamicky Paamicky Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an already existing agent behavior. I assume they wouldn't want the agent to collect and process older logs.

if searchingIndex && err == nil && ind <= len(evtDataValues) && ind > 0 {
sb.WriteString(evtDataValues[ind-1].Value)
//Ignore events older than 2 weeks
cutOffPeriod := (time.Hour * 24 * 14).Nanoseconds()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make this a const?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 5c8f615 to 10f9f0a Compare July 11, 2025 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants