Skip to content

Feature/windows event id filtering #1737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

Paamicky
Copy link
Collaborator

@Paamicky Paamicky commented Jun 18, 2025

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to only collect specific and relevant logs to CloudWatch

Description of changes

  • Add Event ID filtering to the CWAgent Windows logs collection
  • Add rule for eventID validation
  • Add new files and moved some codes to new files to testing purposes

sample configuration of event ID filtering

  "logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "System",
            "event_ids": [4624, 4625, 4634],
            "log_group_name": "WindowsEventIds-Test",
            "log_stream_name": "{instance_id}"
          }
        ]
      }
    }
  }
}

Caution

This PR has a testing PR linked to here: aws/amazon-cloudwatch-agent-test#541, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

  • Added unit tests for event ID validation and processing
  • Manually tested on Windows to verify events are properly filtered by ID
  • Verified backward compatibility with existing configurations

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 3 times, most recently from b758b9e to 516df4e Compare June 20, 2025 16:09
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 516df4e to 2276ab2 Compare June 20, 2025 17:42
@Paamicky Paamicky marked this pull request as ready for review June 23, 2025 01:09
@Paamicky Paamicky requested a review from a team as a code owner June 23, 2025 01:09
@Paamicky Paamicky requested review from jefchien and okankoAMZ June 23, 2025 01:11
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 9d99660 to 2667175 Compare June 23, 2025 19:27
@@ -61,6 +61,7 @@ func (s *Plugin) SampleConfig() string {
[[inputs.windows_event_log.event_config]]
event_name = "System"
event_levels = ["2", "3"]
event_ids = [1001, 1002]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are these event ids what are they representing, can we comment that here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are generic event ids to show how the final sampleConfig of the Toml will look like. it serves as documentation and example config for users of the Windows event Log plugin. So I just add the event id since it is a feature now.

@@ -36,34 +25,7 @@ const (
UNKNOWN = "UNKNOWN"
)

var NumberOfBytesPerCharacter = UnknownBytesPerCharacter

func RenderEventXML(eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we deleting this function can you explain in your PR description?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just moved them to a different file due to the windows build tags. I wanted run some test on the linux environment so it doesn't skip those tests.

return utf16ToUTF8Bytes(renderBuf, bufferUsed)
}

func CreateBookmark(channel string, recordID uint64) (h EvtHandle, err error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we deleting this function can you explain in your PR description?

Copy link
Collaborator Author

@Paamicky Paamicky Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to a different file due to the windows build tags.


func WindowsEventLogLevelName(levelId int32) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we deleting this function can you explain in your PR description?

Copy link
Collaborator Author

@Paamicky Paamicky Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to a different file due to the windows build tags.


var NumberOfBytesPerCharacter = UnknownBytesPerCharacter

func RenderEventXML(eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay so you are moving into a different file. Please document that in your description

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright sure

if err != nil {
log.Panicf("Encode to a valid TOML config fails because of %v", err)
}
return buf.String()
}

// ensure integers in arrays are preserved
func processValue(val interface{}) interface{} {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we have some kind of validation and returning error here. With the current implementation it seems like this function could never fail, is this true?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah used a different approach to integer verification, reverted to original main code.

Comment on lines -98 to -100
if eventLevels, ok := result[EventLevelsKey]; !ok {
return
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change now, we keep going when the eventLevel is missing. Is this intentional?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the eventLevel is missing it will proceed to check the for eventids, actually this still sets eventlevels to an empty slice of string instead of nil, I will fix this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

Comment on lines 14 to 15
// Process value to ensure integers in arrays are preserved
processedVal := processValue(val)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. There are some other integers that aren't mangled like log retention. I wonder why those work. Perhaps because they aren't in an array? We should understand why those integers don't require additional processing.

@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 5 times, most recently from ffba86e to a4bbe23 Compare June 24, 2025 20:47
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch 2 times, most recently from 097c665 to dc6df12 Compare June 25, 2025 17:32
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from dc6df12 to 1ab8a1a Compare June 25, 2025 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants