feat: add JSON support to windows sources (#193)

* changelog 1.6.2

* docs for  windows json support

* add windows json support

* add windows json support

* fix typo

* chore(vagrant): fix ip

Signed-off-by: Dominik Rosiek <[email protected]>

* feat: add json related fields to windows event sources

Signed-off-by: Dominik Rosiek <[email protected]>

* refactor: create types for windows related properties

Signed-off-by: Dominik Rosiek <[email protected]>

* refactor: inherit windows remote source from windows local source

Signed-off-by: Dominik Rosiek <[email protected]>

* docs(README): update

Signed-off-by: Dominik Rosiek <[email protected]>

* fix: fix imports

Signed-off-by: Dominik Rosiek <[email protected]>

* fix: lint

Signed-off-by: Dominik Rosiek <[email protected]>

* feat: add enable_json_events property to windows sources

Signed-off-by: Dominik Rosiek <[email protected]>

* feat: add enable_json_events configuration to README

Signed-off-by: Dominik Rosiek <[email protected]>

* refactor: makes lint happy

Signed-off-by: Dominik Rosiek <[email protected]>

* fix: add missing change

Signed-off-by: Dominik Rosiek <[email protected]>

* tests: add tests for windows json events

Signed-off-by: Dominik Rosiek <[email protected]>

* chore(changelog): update

* Apply suggestions from code review

* docs: update due to review

Signed-off-by: Dominik Rosiek <[email protected]>

* docs: update due to review

Signed-off-by: Dominik Rosiek <[email protected]>

* feat: remove enable_json_events

Signed-off-by: Dominik Rosiek <[email protected]>

* Update CHANGELOG.md

* Apply suggestions from code review

* Delete remote_win_event_json_log_create_spec.rb

* Delete local_win_event_json_log_create_spec.rb

* tests: fix

Signed-off-by: Dominik Rosiek <[email protected]>

* fix: defaults

Signed-off-by: Dominik Rosiek <[email protected]>

* feat!: change default event_message to :message

Co-authored-by: Rick Jury <[email protected]>
Co-authored-by: Andrzej Stencel <[email protected]>

CHANGELOG.md

@@ -4,6 +4,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 This CHANGELOG (now) follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
 
+## Unreleased
+### Added
+- feat: add JSON support to windows sources [#193]
+
+[#193]: https://github.com/SumoLogic/sumologic-collector-chef-cookbook/pull/193
+
 ## [1.6.2] - 2022-01-05
 ### Added
 - added `fields` support to sources (@majormoses) [#189]

README.md

@@ -381,6 +381,13 @@ The following attribute parameters are in addition to the generic parameters
 listed above.
 
 - `log_names` - **required**
+- `event_format` - `:legacy` for legacy format or `:json` for JSON format. `:legacy` is default.
+- `event_message` - Use with JSON format. `:complete`, `:message` (recommended), or `:metadata` for metadata only.
+  `:message` is default.
+- `allowlist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs.
+  This is an empty string as default.
+- `denylist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs.
+  This is an empty string as default.
 
 ### Examples
 
@@ -391,6 +398,19 @@ sumo_source_local_windows_event_log 'local_win_event_log' do
 end
 ```
 
+Use JSON log format instead of legacy format:
+
+```ruby
+sumo_source_local_windows_event_log 'local_win_event_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  log_names ['security', 'application']
+  event_format :json
+  event_message :message
+  allowlist ""
+  denylist ""
+end
+```
+
 sumo_source_remote_file
 ---------
 
@@ -445,7 +465,7 @@ sumo_source_remote_windows_event_log
 See the [Sumo Logic documentation](https://help.sumologic.com/Send_Data/Sources/Use_JSON_to_Configure_Sources)
 for more information about these attributes.
 
-The following attribute parameters are in addition to the generic parameters
+The following attribute parameters are in addition to the generic and [sumo_source_local_windows_event_log](#sumosourcelocalwindowseventlog) parameters
 listed above.
 
 - `domain` - **required**
@@ -467,6 +487,24 @@ sumo_source_remote_windows_event_log 'remote_win_event_log' do
 end
 ```
 
+Use JSON log format instead of legacy format:
+
+```ruby
+sumo_source_remote_windows_event_log 'remote_win_event_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  domain 'mydomain'
+  username 'user'
+  password 'password'
+  hosts ['myremotehost1']
+  log_names ['security', 'application']
+  event_format :json
+  event_message :message
+  allowlist ""
+  denylist ""
+
+end
+```
+
 sumo_source_script
 ---------
 

Vagrantfile

@@ -12,7 +12,7 @@ Vagrant.configure('2') do |config|
   config.disksize.size = '50GB'
   config.vm.box_check_update = false
   config.vm.host_name = 'sumologic-collector-chef-cookbook'
-  config.vm.network :private_network, ip: "192.168.78.46"
+  config.vm.network :private_network, ip: "192.168.56.46"
 
   config.vm.provider 'virtualbox' do |vb|
     vb.gui = false

libraries/provider_local_win_event_log_source.rb

@@ -2,6 +2,7 @@
 
 require 'chef/provider/lwrp_base'
 require_relative 'provider_source'
+require_relative 'types'
 
 class Chef
   class Provider
@@ -11,6 +12,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Provider::SumoSource
       def config_hash
         hash = super
         hash['source']['logNames'] = new_resource.log_names
+        hash['source']['eventFormat'] = EVENT_FORMAT[new_resource.event_format]
+        hash['source']['eventMessage'] = EVENT_MESSAGE[new_resource.event_message]
+        hash['source']['allowlist'] = new_resource.allowlist
+        hash['source']['denylist'] = new_resource.denylist
         hash
       end
     end

libraries/provider_remote_win_event_log_source.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 require 'chef/provider/lwrp_base'
-require_relative 'provider_source'
+require_relative 'provider_local_win_event_log_source'
 
 class Chef
   class Provider
-    class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSource
+    class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSourceLocalWindowsEventLog
       provides :sumo_source_remote_windows_event_log if respond_to?(:provides)
 
       def config_hash
@@ -14,7 +14,6 @@ def config_hash
         hash['source']['username'] = new_resource.username
         hash['source']['password'] = new_resource.password
         hash['source']['hosts'] = new_resource.hosts
-        hash['source']['logNames'] = new_resource.log_names
         hash
       end
     end

libraries/resource_local_win_event_log_source.rb

@@ -2,6 +2,7 @@
 
 require 'chef/resource/lwrp_base'
 require_relative 'resource_source'
+require_relative 'types'
 
 class Chef
   class Resource
@@ -10,6 +11,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Resource::SumoSource
 
       attribute :source_type, kind_of: Symbol, default: :local_windows_event_log, equal_to: [:local_windows_event_log]
       attribute :log_names, kind_of: Array, required: true
+      attribute :event_format, kind_of: Symbol, default: :legacy, equal_to: EVENT_FORMAT.keys
+      attribute :event_message, kind_of: Symbol, default: :message, equal_to: EVENT_MESSAGE.keys
+      attribute :allowlist, kind_of: String
+      attribute :denylist, kind_of: String
     end
   end
 end

libraries/resource_remote_win_event_log_source.rb

@@ -1,19 +1,18 @@
 # frozen_string_literal: true
 
 require 'chef/resource/lwrp_base'
-require_relative 'resource_source'
+require_relative 'resource_local_win_event_log_source'
 
 class Chef
   class Resource
-    class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSource
+    class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSourceLocalWindowsEventLog
       provides :sumo_source_remote_windows_event_log if respond_to?(:provides)
 
       attribute :source_type, kind_of: Symbol, default: :remote_windows_event_log, equal_to: [:remote_windows_event_log]
       attribute :domain, kind_of: String, required: true
       attribute :username, kind_of: String, required: true
       attribute :password, kind_of: String, required: true
       attribute :hosts, kind_of: Array, required: true
-      attribute :log_names, kind_of: Array, required: true
     end
   end
 end

libraries/types.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+EVENT_FORMAT = {
+  nil => nil,
+  :legacy => 0,
+  :json => 1
+}.freeze
+
+EVENT_MESSAGE = {
+  nil => nil,
+  :complete => 0,
+  :message => 1,
+  :metadata => 2
+}.freeze

test/fixtures/cookbooks/source-resource/recipes/local_win_event_log_create.rb

@@ -3,4 +3,9 @@
 sumo_source_local_windows_event_log 'local_win_event_log' do
   source_json_directory node['sumologic']['sumo_json_path']
   log_names %w[security application]
+
+  event_format :legacy
+  event_message :message
+  allowlist "el1,el2"
+  denylist "el3,el4"
 end

test/fixtures/cookbooks/source-resource/recipes/remote_win_event_log_create.rb

@@ -7,4 +7,9 @@
   password 'password'
   hosts ['myremotehost1']
   log_names %w[security application]
+
+  event_format :legacy
+  event_message :message
+  allowlist "el1,el2"
+  denylist "el3,el4"
 end

test/integration/source-resource/serverspec/local_win_event_log_create_spec.rb

@@ -4,4 +4,9 @@
 
 describe file('/etc/sumo.json/local_win_event_log.json') do
   it { is_expected.to exist }
+
+  its(:content) { is_expected.to match(/"eventFormat":/) }
+  its(:content) { is_expected.to match(/"eventMessage":/) }
+  its(:content) { is_expected.to match(/"allowlist":/) }
+  its(:content) { is_expected.to match(/"denylist":/) }
 end

test/integration/source-resource/serverspec/remote_win_event_log_create_spec.rb

@@ -4,4 +4,9 @@
 
 describe file('/etc/sumo.json/remote_win_event_log.json') do
   it { is_expected.to exist }
+
+  its(:content) { is_expected.to match(/"eventFormat":/) }
+  its(:content) { is_expected.to match(/"eventMessage":/) }
+  its(:content) { is_expected.to match(/"allowlist":/) }
+  its(:content) { is_expected.to match(/"denylist":/) }
 end