[chore] Consolidate event code in WEL receiver (#35026)

This is a step towards #34720 which should have no user facing impact. It consolidates the event model by removing the notion of a "raw" event. The behavior of `raw` flag should remain the same because we still use different functions to build the output from the unified event.
open-telemetry · Sep 20, 2024 · 576d322 · 576d322
1 parent e93f0cc
commit 576d322
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 212 deletions.
diff --git a/pkg/stanza/operator/input/windows/event.go b/pkg/stanza/operator/input/windows/event.go
@@ -139,29 +139,6 @@ func (e *Event) Close() error {
 	return nil
 }
 
-func (e *Event) RenderRaw(buffer Buffer) (EventRaw, error) {
-	if e.handle == 0 {
-		return EventRaw{}, fmt.Errorf("event handle does not exist")
-	}
-
-	bufferUsed, err := evtRender(0, e.handle, EvtRenderEventXML, buffer.SizeBytes(), buffer.FirstByte())
-	if errors.Is(err, ErrorInsufficientBuffer) {
-		// If the bufferUsed is 0 return an error as we don't want to make a recursive call with no buffer
-		if *bufferUsed == 0 {
-			return EventRaw{}, errUnknownNextFrame
-		}
-
-		buffer.UpdateSizeBytes(*bufferUsed)
-		return e.RenderRaw(buffer)
-	}
-	bytes, err := buffer.ReadBytes(*bufferUsed)
-	if err != nil {
-		return EventRaw{}, fmt.Errorf("failed to read bytes from buffer: %w", err)
-	}
-
-	return unmarshalEventRaw(bytes)
-}
-
 // NewEvent will create a new event from an event handle.
 func NewEvent(handle uintptr) Event {
 	return Event{

diff --git a/pkg/stanza/operator/input/windows/input.go b/pkg/stanza/operator/input/windows/input.go
@@ -232,8 +232,6 @@ func (i *Input) read(ctx context.Context) int {
 
 // processEvent will process and send an event retrieved from windows event log.
 func (i *Input) processEvent(ctx context.Context, event Event) {
-	remoteServer := i.remote.Server
-
 	var providerName string // The provider name is only retrieved if needed.
 	if !i.raw || len(i.excludeProviders) > 0 {
 		var err error
@@ -253,13 +251,12 @@ func (i *Input) processEvent(ctx context.Context, event Event) {
 	}
 
 	if i.raw {
-		rawEvent, err := event.RenderRaw(i.buffer)
+		rawEvent, err := event.RenderSimple(i.buffer)
 		if err != nil {
 			i.Logger().Error("Failed to render raw event", zap.Error(err))
 			return
 		}
 
-		rawEvent.RemoteServer = remoteServer
 		i.sendEventRaw(ctx, rawEvent)
 		return
 	}
@@ -275,7 +272,6 @@ func (i *Input) processEvent(ctx context.Context, event Event) {
 	if publisher.Valid() {
 		formattedEvent, err := event.RenderFormatted(i.buffer, publisher)
 		if err == nil {
-			formattedEvent.RemoteServer = remoteServer
 			i.sendEvent(ctx, formattedEvent)
 			return
 		}
@@ -290,7 +286,6 @@ func (i *Input) processEvent(ctx context.Context, event Event) {
 		return
 	}
 
-	simpleEvent.RemoteServer = remoteServer
 	i.sendEvent(ctx, simpleEvent)
 }
 
@@ -309,9 +304,8 @@ func (i *Input) sendEvent(ctx context.Context, eventXML EventXML) {
 }
 
 // sendEventRaw will send EventRaw as an entry to the operator's output.
-func (i *Input) sendEventRaw(ctx context.Context, eventRaw EventRaw) {
-	body := eventRaw.parseBody()
-	entry, err := i.NewEntry(body)
+func (i *Input) sendEventRaw(ctx context.Context, eventRaw EventXML) {
+	entry, err := i.NewEntry(eventRaw.Original)
 	if err != nil {
 		i.Logger().Error("Failed to create entry", zap.Error(err))
 		return

diff --git a/pkg/stanza/operator/input/windows/raw.go b/pkg/stanza/operator/input/windows/raw.go
diff --git a/pkg/stanza/operator/input/windows/raw_test.go b/pkg/stanza/operator/input/windows/raw_test.go
diff --git a/pkg/stanza/operator/input/windows/xml.go b/pkg/stanza/operator/input/windows/xml.go
@@ -13,6 +13,7 @@ import (
 
 // EventXML is the rendered xml of an event.
 type EventXML struct {
+	Original         string      `xml:"-"`
 	EventID          EventID     `xml:"System>EventID"`
 	Provider         Provider    `xml:"System>Provider"`
 	Computer         string      `xml:"System>Computer"`
@@ -180,15 +181,6 @@ func parseEventData(eventData EventData) map[string]any {
 	return outputMap
 }
 
-// unmarshalEventXML will unmarshal EventXML from xml bytes.
-func unmarshalEventXML(bytes []byte) (EventXML, error) {
-	var eventXML EventXML
-	if err := xml.Unmarshal(bytes, &eventXML); err != nil {
-		return EventXML{}, fmt.Errorf("failed to unmarshal xml bytes into event: %w (%s)", err, string(bytes))
-	}
-	return eventXML, nil
-}
-
 // EventID is the identifier of the event.
 type EventID struct {
 	Qualifiers uint16 `xml:"Qualifiers,attr"`
@@ -267,3 +259,13 @@ func (e Execution) asMap() map[string]any {
 
 	return result
 }
+
+// unmarshalEventXML will unmarshal EventXML from xml bytes.
+func unmarshalEventXML(bytes []byte) (EventXML, error) {
+	var eventXML EventXML
+	if err := xml.Unmarshal(bytes, &eventXML); err != nil {
+		return EventXML{}, fmt.Errorf("failed to unmarshal xml bytes into event: %w (%s)", err, string(bytes))
+	}
+	eventXML.Original = string(bytes)
+	return eventXML, nil
+}
diff --git a/pkg/stanza/operator/input/windows/xml_test.go b/pkg/stanza/operator/input/windows/xml_test.go
@@ -479,6 +479,7 @@ func TestUnmarshalWithEventData(t *testing.T) {
 				{Name: "Source", Value: "RulesEngine"}},
 		},
 		Keywords: []string{"0x80000000000000"},
+		Original: string(data),
 	}
 
 	require.Equal(t, xml, event)
@@ -516,6 +517,7 @@ func TestUnmarshalWithAnonymousEventDataEntries(t *testing.T) {
 		Keywords:  []string{"0x80000000000000"},
 		Security:  &Security{},
 		Execution: &Execution{},
+		Original:  string(data),
 	}
 
 	require.Equal(t, xml, event)
@@ -554,6 +556,7 @@ func TestUnmarshalWithUserData(t *testing.T) {
 			ProcessID: 1472,
 			ThreadID:  7784,
 		},
+		Original: string(data),
 	}
 
 	require.Equal(t, xml, event)