diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e66541f062f..f6ad8c57740 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -33,6 +33,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Winlogbeat* - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193] +- Fix the ability to use filtering features (e.g. `ignore_older`, `event_id`, `provider`, `level`) while reading `.evtx` files. {issue}16826[16826] {pull}36173[36173] *Functionbeat* diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 4f1cb38b171..e36ebb84d02 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -332,7 +332,7 @@ func (l *winEventLog) Open(state checkpoint.EventLogState) error { func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.EvtHandle) error { path := l.channelName - h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection) + h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) if err != nil { l.metrics.logError(err) return fmt.Errorf("failed to get handle to event log file %v: %w", path, err) @@ -424,6 +424,7 @@ func (l *winEventLog) Read() ([]Record, error) { return nil, err } + //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. var records []Record defer func() { l.metrics.log(records) diff --git a/winlogbeat/eventlog/wineventlog_experimental.go b/winlogbeat/eventlog/wineventlog_experimental.go index f035f76b66e..2df52edb938 100644 --- a/winlogbeat/eventlog/wineventlog_experimental.go +++ b/winlogbeat/eventlog/wineventlog_experimental.go @@ -182,7 +182,7 @@ func (l *winEventLogExp) open(state checkpoint.EventLogState) (win.EvtHandle, er func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { path := l.channelName - h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection) + h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) if err != nil { return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err) } @@ -256,6 +256,7 @@ func (l *winEventLogExp) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro } func (l *winEventLogExp) Read() ([]Record, error) { + //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. var records []Record defer func() { l.metrics.log(records) diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go index cd3eee71170..c0616021d22 100644 --- a/winlogbeat/eventlog/wineventlog_test.go +++ b/winlogbeat/eventlog/wineventlog_test.go @@ -270,6 +270,7 @@ func testWindowsEventLog(t *testing.T, api string) { assert.Equal(t, totalEvents, eventCount) }) + // Test reading .evtx file without any query filters t.Run("evtx_file", func(t *testing.T) { path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx") if err != nil { @@ -295,6 +296,34 @@ func testWindowsEventLog(t *testing.T, api string) { assert.Len(t, records, 32) }) + + // Test reading .evtx file with event_id filter + t.Run("evtx_file_with_query", func(t *testing.T) { + path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx") + if err != nil { + t.Fatal(err) + } + + log := openLog(t, map[string]interface{}{ + "name": path, + "no_more_events": "stop", + "event_id": "3, 5", + }) + defer log.Close() + + records, err := log.Read() + + // This implementation returns the EOF on the next call. + if err == nil && api == winEventLogAPIName { + _, err = log.Read() + } + + if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") { + assert.Equal(t, io.EOF, err) + } + + assert.Len(t, records, 21) + }) } // ---- Utility Functions -----