Feature/windows event id filtering

[Paamicky]

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to only collect specific and relevant logs to CloudWatch

Description of changes

• Add Event ID filtering to the CWAgent Windows logs collection
• Add rule for eventID validation
• Add new files and moved some codes to new files to testing purposes

sample configuration of event ID filtering

  "logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "System",
            "event_ids": [4624, 4625, 4634],
            "log_group_name": "WindowsEventIds-Test",
            "log_stream_name": "{instance_id}"
          }
        ]
      }
    }
  }
}

Caution

This PR has a testing PR linked to here: aws/amazon-cloudwatch-agent-test#541, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

• Added unit tests for event ID validation and processing
• Manually tested on Windows to verify events are properly filtered by ID
• Verified backward compatibility with existing configurations

Requirements

Before commiting your code, please do the following steps.

1. Run make fmt and make fmt-sh
2. Run make lint

---

Integration Tests

To run integration tests against this PR, add the ready for testing label.

[okankoAMZ]

What are these event ids what are they representing, can we comment that here?

[Paamicky]

They are generic event ids to show how the final sampleConfig of the Toml will look like. it serves as documentation and example config for users of the Windows event Log plugin. So I just add the event id since it is a feature now.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

I just moved them to a different file due to the windows build tags. I wanted run some test on the linux environment so it doesn't skip those tests.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

Moved to a different file due to the windows build tags.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

Moved to a different file due to the windows build tags.

[okankoAMZ]

Okay so you are moving into a different file. Please document that in your description

[Paamicky]

Alright sure

[okankoAMZ]

shouldn't we have some kind of validation and returning error here. With the current implementation it seems like this function could never fail, is this true?

[Paamicky]

yeah used a different approach to integer verification, reverted to original main code.

[okankoAMZ]

With this change now, we keep going when the eventLevel is missing. Is this intentional?

[Paamicky]

if the eventLevel is missing it will proceed to check the for eventids, actually this still sets eventlevels to an empty slice of string instead of nil, I will fix this.

[Paamicky]

done!

[dricross]

Interesting. There are some other integers that aren't mangled like log retention. I wonder why those work. Perhaps because they aren't in an array? We should understand why those integers don't require additional processing.