diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 84e65aa95ab3..54cf61a63287 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -34,9 +34,9 @@ import ( "github.com/elastic/elastic-agent-libs/logp" ) -// winEventLogRaw implements the EventLog interface for reading from the Windows +// winEventLog implements the EventLog interface for reading from the Windows // Event Log API. -type winEventLogRaw struct { +type winEventLog struct { config config query string id string // Identifier of this event log. @@ -98,7 +98,7 @@ func newWinEventLog(options *conf.C) (EventLog, error) { log = logp.NewLogger("wineventlog").With("id", id).With("channel", c.Name) } - l := &winEventLogRaw{ + l := &winEventLog{ config: c, query: xmlQuery, id: id, @@ -131,27 +131,27 @@ func newWinEventLog(options *conf.C) (EventLog, error) { return l, nil } -func (l *winEventLogRaw) isForwarded() bool { +func (l *winEventLog) isForwarded() bool { c := l.config return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents") } // Name returns the name of the event log (i.e. Application, Security, etc.). -func (l *winEventLogRaw) Name() string { +func (l *winEventLog) Name() string { return l.id } // Channel returns the event log's channel name. -func (l *winEventLogRaw) Channel() string { +func (l *winEventLog) Channel() string { return l.channelName } // IsFile returns true if the event log is an evtx file. -func (l *winEventLogRaw) IsFile() bool { +func (l *winEventLog) IsFile() bool { return l.file } -func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { +func (l *winEventLog) Open(state checkpoint.EventLogState) error { l.lastRead = state // we need to defer metrics initialization since when the event log // is used from winlog input it would register it twice due to CheckConfig calls @@ -168,7 +168,7 @@ func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { return err } -func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, error) { +func (l *winEventLog) open(state checkpoint.EventLogState) (win.EvtHandle, error) { var bookmark win.Bookmark if len(state.Bookmark) > 0 { var err error @@ -185,7 +185,7 @@ func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, er return l.openChannel(bookmark) } -func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { +func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { path := l.channelName h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) @@ -222,7 +222,7 @@ func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.B return h, err } -func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { +func (l *winEventLog) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { // Using a pull subscription to receive events. See: // https://msdn.microsoft.com/en-us/library/windows/desktop/aa385771(v=vs.85).aspx#pull signalEvent, err := windows.CreateEvent(nil, 0, 0, nil) @@ -264,7 +264,7 @@ func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro } } -func (l *winEventLogRaw) Read() ([]Record, error) { +func (l *winEventLog) Read() ([]Record, error) { //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. var records []Record defer func() { @@ -302,7 +302,7 @@ func (l *winEventLogRaw) Read() ([]Record, error) { return records, nil } -func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { +func (l *winEventLog) processHandle(h win.EvtHandle) (*Record, error) { defer h.Close() // NOTE: Render can return an error and a partial event. @@ -339,7 +339,7 @@ func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { return r, nil } -func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { +func (l *winEventLog) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { bookmark, err := win.NewBookmarkFromEvent(evtHandle) if err != nil { return "", fmt.Errorf("failed to create new bookmark from event handle: %w", err) @@ -349,18 +349,18 @@ func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (strin return bookmark.XML() } -func (l *winEventLogRaw) Reset() error { +func (l *winEventLog) Reset() error { l.log.Debug("Closing event log reader handles for reset.") return l.close() } -func (l *winEventLogRaw) Close() error { +func (l *winEventLog) Close() error { l.log.Debug("Closing event log reader handles.") l.metrics.close() return l.close() } -func (l *winEventLogRaw) close() error { +func (l *winEventLog) close() error { if l.iterator == nil { return l.renderer.Close() } diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go index 0290ce48feb4..d38852caf724 100644 --- a/winlogbeat/eventlog/wineventlog_test.go +++ b/winlogbeat/eventlog/wineventlog_test.go @@ -157,9 +157,7 @@ func TestWinEventLogConfig_Validate(t *testing.T) { } } -func TestWindowsEventLogAPIRaw(t *testing.T) { - // for the raw api using include xml behave differently than not - // so we must test both settings +func TestWindowsEventLogAPI(t *testing.T) { testWindowsEventLog(t, true) testWindowsEventLog(t, false) } diff --git a/winlogbeat/sys/wineventlog/format_message_test.go b/winlogbeat/sys/wineventlog/format_message_test.go index c677bc148acb..1d20626a261b 100644 --- a/winlogbeat/sys/wineventlog/format_message_test.go +++ b/winlogbeat/sys/wineventlog/format_message_test.go @@ -65,21 +65,7 @@ func TestFormatMessage(t *testing.T) { } assert.Contains(t, msg, `{{eventParam $ 2}}`) - - // NOTE: In this test case I noticed the messages contains - // "Logon ID: 0x0" - // but it should contain - // "Logon ID: {{eventParam $ 9}}" - // - // This may mean that certain windows.GUID values cannot be - // substituted with string values. So we shouldn't rely on this - // method to create text/templates. Instead we can use the - // getMessageStringFromMessageID (see test below) that works as - // expected. - // - // Note: This is not the case under 32-bit Windows 7. - // Disabling the assertion for now. - //assert.NotContains(t, msg, `{{eventParam $ 9}}`) + assert.NotContains(t, msg, `{{eventParam $ 9}}`) }) }) diff --git a/winlogbeat/tests/system/config/winlogbeat.yml.j2 b/winlogbeat/tests/system/config/winlogbeat.yml.j2 index 77bb1475eda2..e8863dce3828 100644 --- a/winlogbeat/tests/system/config/winlogbeat.yml.j2 +++ b/winlogbeat/tests/system/config/winlogbeat.yml.j2 @@ -4,9 +4,6 @@ winlogbeat.event_logs: {% for log in event_logs -%} - name: {{ log.name }} - {%- if log.api is defined %} - api: {{ log.api }} - {% endif %} {%- if log.ignore_older is defined %} ignore_older: {{ log.ignore_older }} {% endif %} diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index 267e67e974fb..580d82989cfa 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -20,7 +20,6 @@ class Test(WriteReadTest): @classmethod def setUpClass(self): - self.api = "wineventlog" super(WriteReadTest, self).setUpClass() def test_read_one_event(self): @@ -33,7 +32,6 @@ def test_read_one_event(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_resume_reading_events(self): @@ -46,7 +44,6 @@ def test_resume_reading_events(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) # remove the output file, otherwise there is a race condition @@ -60,7 +57,6 @@ def test_resume_reading_events(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_cleared_channel_restarts(self): @@ -151,7 +147,6 @@ def test_read_unknown_event_id(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], eventID="1111", extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) self.assertEqual( @@ -174,7 +169,6 @@ def test_read_unknown_sid(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, sid=accountIdentifier, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_fields_under_root(self): @@ -190,7 +184,6 @@ def test_fields_under_root(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "tags": ["local"], "fields_under_root": True, "fields": {"local": "field", "env": "dev"} @@ -200,7 +193,6 @@ def test_fields_under_root(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, level="overwrite", extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", "global": "field", "env": "dev", "local": "field", @@ -218,7 +210,6 @@ def test_fields_not_under_root(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "fields": {"local": "field", "env": "dev", "num": 1} } ] @@ -227,7 +218,6 @@ def test_fields_not_under_root(self): self.assert_common_fields(evts[0], msg=msg, extra={ "log.level": "information", "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", "fields.global": "field", "fields.env": "dev", "fields.level": "overwrite", @@ -273,7 +263,6 @@ def test_query_event_id(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "event_id": "50, 100-200, -150" } ] @@ -298,7 +287,6 @@ def test_query_level_single(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "level": "warning" } ] @@ -322,7 +310,6 @@ def test_query_level_multiple(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "level": "error, warning" } ] @@ -344,7 +331,6 @@ def test_query_ignore_older(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "ignore_older": "2s" } ] @@ -363,7 +349,6 @@ def test_query_provider(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "provider": [self.otherAppName] } ] @@ -384,7 +369,6 @@ def test_query_multi_param(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "event_id": "10-20, 30-40, -35, -18, 400-1000, -432", "level": "warn, error", "provider": [self.otherAppName] @@ -407,7 +391,6 @@ def test_utf16_characters(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "include_xml": True, } ] @@ -439,7 +422,6 @@ def test_processors(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "extras": { "processors": [ { diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 607ec9454bd1..7a9d1e70a844 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -65,7 +65,6 @@ func testCollectionPipeline(t testing.TB, evtx string, p *params) { // Open evtx file. log, err := eventlog.New(config.MustNewConfigFrom(mapstr.M{ "name": path, - "api": "wineventlog", "no_more_events": "stop", })) if err != nil {