Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

in_winevtlog: Support XML query parameter for filtering events #7848

Merged
merged 1 commit into from
Aug 29, 2023
Merged

in_winevtlog: Support XML query parameter for filtering events #7848

merged 1 commit into from
Aug 29, 2023

Conversation

cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Aug 22, 2023
edited
Loading

I implemented XML query capability for filtering Windows EventLog.
This is because filter_grep and type converter should be difficult to use when the types of records are unknown.
Instead, we also are able to provide a capability of XML query language to filter events.
EvtSubscribe API which is defined in winevt.h can handle that XML query.
ref: https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe

The advantage of the parameter is using in_winevtlog plugin only and not consuming for unneeded events on that plugin.

This feature is also a parity of fluent-plugin-windows-eventlog plugin's event_query parameter: https://github.com/fluent/fluent-plugin-windows-eventlog#configuration

This is related to #7271.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change

To filter an event which has EventID 1040 within in_winevtlog plugin, we can use the following query in Event_Query parameter:

[SERVICE]
    Log_Level   debug
[INPUT]
    Name        winevtlog
    channels    Application
    Use_ANSI    True
    Event_Query Event/System[EventID!=1040]

[OUTPUT]
    Name stdout
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

fluent/fluent-bit-docs#1179

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@cosmo0920 cosmo0920 temporarily deployed to pr August 22, 2023 06:52 — with GitHub Actions Inactive
@cosmo0920 cosmo0920 temporarily deployed to pr August 22, 2023 06:52 — with GitHub Actions Inactive
@cosmo0920 cosmo0920 temporarily deployed to pr August 22, 2023 06:52 — with GitHub Actions Inactive
@cosmo0920 cosmo0920 mentioned this pull request Aug 22, 2023
Open
@cosmo0920 cosmo0920 temporarily deployed to pr August 22, 2023 07:18 — with GitHub Actions Inactive
@cosmo0920 cosmo0920 mentioned this pull request Aug 22, 2023
Merged
@edsiper edsiper added this to the Fluent Bit v2.1.9 milestone Aug 29, 2023
@edsiper edsiper merged commit 5c19f46 into master Aug 29, 2023
@edsiper edsiper deleted the cosmo0920-support-xml-query-on-in_winevtlog-plugin branch August 29, 2023 10:27
@edsiper
Copy link
Member

edsiper commented Aug 29, 2023

cc: @lecaros docs

@ZhongRuoyu ZhongRuoyu mentioned this pull request Sep 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
Fluent Bit v2.1.9
Development

Successfully merging this pull request may close these issues.
2 participants
@cosmo0920 @edsiper