win_eventlog buffer too small

[knollet]

prerequisites

# create some windows-eventlog entries
# powershell as admin:
# create an eventlog
new-eventlog -LogName KnolletTest -Source Knollet

# a short message
write-eventlog -LogName KnolletTest -Source Knollet -EventID 123 -Message "This is a testmessage`n"

# a really long message:
write-eventlog -LogName KnolletTest -Source Knollet -EventID 123 -Message "This is a message with over 10,000 chars <insert 10,000 chars here>`n"

telegraf config

## win_eventlog_test.conf

[[inputs.win_eventlog]]
  name_override = "knollet_test"
  xpath_query = '''
  <QueryList>
    <Query Id="0" Path="KnolletTest">
      <Select Path="KnolletTest">*[System[Provider[@Name='Knollet'] and (EventID=123)]]</Select>
    </Query>
  </QueryList>
  '''

  from_beginning = true
  process_userdata = false
  process_eventdata = true
  only_first_line_of_message = false

  event_tags = [""]
  event_fields = [""]

[[processors.starlark]]
namepass = ["knollet_test"]
source = '''
load("logging.star", "log")

def apply(metric):
  log.error(repr(metric.fields))
  return None
'''

Logs from Telegraf

PS C:\program files\telegraf\telegraf.d> ..\telegraf -config .\win_eventlog_test.conf -test -test-wait 5 -debug
2025-01-08T14:27:13Z I! Loading config: .\win_eventlog_test.conf
2025-01-08T14:27:13Z I! Starting Telegraf 1.32.1 brought to you by InfluxData the makers of InfluxDB
2025-01-08T14:27:13Z I! Available plugins: 235 inputs, 9 aggregators, 32 processors, 26 parsers, 62 outputs, 5 secret-stores
2025-01-08T14:27:13Z I! Loaded inputs: win_eventlog
2025-01-08T14:27:13Z I! Loaded aggregators:
2025-01-08T14:27:13Z I! Loaded processors: starlark
2025-01-08T14:27:13Z I! Loaded secretstores:
2025-01-08T14:27:13Z W! Outputs are not used in testing mode!
2025-01-08T14:27:13Z I! Tags enabled: host=MYHOST
2025-01-08T14:27:13Z D! [agent] Initializing plugins
2025-01-08T14:27:13Z D! [agent] Starting service inputs
2025-01-08T14:27:13Z D! [inputs.win_eventlog] Subscription handle id:2
2025-01-08T14:27:13Z E! [processors.starlark] {"Data": "This is a testmessage"}         <---- the short one is here, the long one is missing!
2025-01-08T14:27:18Z D! [agent] Stopping service inputs
2025-01-08T14:27:18Z D! [agent] Input channel closed
2025-01-08T14:27:18Z D! [agent] Processor channel closed
2025-01-08T14:27:18Z D! [agent] Stopped Successfully

System info

Windows Telegraf 1.32.1

Steps to reproduce

1. Create an Eventlog Entry with a message longer that 10,000 chars and a short one.
2. use inputs.win_eventlog to fetch them
3. see only the short one being fetched, the long one is ignored and there's apparently not even an error reported

Expected behavior

All events should be fetched, else something could get lost, which is a problem with a monitoring agent

Actual behavior

Events get lost and I didn't even see an error logged despite of -debug.

Additional info

As win_eventlog entries are limited in length by windows though, there's no need to check beforehand how much space might be required to malloc.

Some googling (for example, here)
https://www.quibiq.de/en/news/news-detail/news/detail/News/message-laengen-beschraenkung-im-event-log/page/8/
(sorry, it's German)

reveals, entries are limited to 64k and, as they're UTF-16 encoded, as it seems, to 32k characters.

So the buffer length in
https://github.com/influxdata/telegraf/blob/master/plugins/inputs/win_eventlog/win_eventlog.go#L57
should be 1<<16 and not 1<<14 which limits messages to a fourth of the actually possible length. which is about 32k/4 chars so around 8000 characters.

If 1<<16 doesn't fit, because the buflen has to be given as a UINT16, it should be (1<<16) - 1