Add windows events log filtering to CWAgent configuration wizard (#1774)

Author: Paamicky

cmd/config-translator/translator_test.go

@@ -123,7 +123,6 @@ func TestLogWindowsEventConfig(t *testing.T) {
 	expectedErrorMap6["invalid_type"] = 1
 	expectedErrorMap6["enum"] = 1
 	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidFilterType.json", false, expectedErrorMap6)
-
 }
 
 func TestMetricsConfig(t *testing.T) {

plugins/inputs/windows_event_log/wineventlog/wineventlog.go

@@ -102,11 +102,13 @@ func (w *windowsEventLog) Init() error {
 		minEventID = 0
 		maxEventID = 65535
 	)
+
 	for _, eventID := range w.eventIDs {
 		if eventID < minEventID || eventID > maxEventID {
 			return fmt.Errorf("invalid event ID: %d, event IDs must be between %d and %d", eventID, minEventID, maxEventID)
 		}
 	}
+
 	for _, filter := range w.filters {
 		if err := filter.init(); err != nil {
 			return err

tool/data/config/logs.go

@@ -41,9 +41,9 @@ func (config *Logs) AddLogFile(filePath, logGroupName string, logStream, timesta
 	config.LogsCollect.AddLogFile(filePath, logGroupName, logStream, timestampFormat, timezone, multiLineStartPattern, encoding, retention, logGroupClass)
 }
 
-func (config *Logs) AddWindowsEvent(eventName, logGroupName, logStream, eventFormat string, eventLevels []string, retention int, logGroupClass string) {
+func (config *Logs) AddWindowsEvent(eventName, logGroupName, logStream, eventFormat string, eventLevels []string, eventIDs []int, filters []*logs.EventFilter, retention int, logGroupClass string) {
 	if config.LogsCollect == nil {
 		config.LogsCollect = &logs.Collection{}
 	}
-	config.LogsCollect.AddWindowsEvent(eventName, logGroupName, logStream, eventFormat, eventLevels, retention, logGroupClass)
+	config.LogsCollect.AddWindowsEvent(eventName, logGroupName, logStream, eventFormat, eventLevels, eventIDs, filters, retention, logGroupClass)
 }

tool/data/config/logs/collection.go

@@ -30,11 +30,11 @@ func (config *Collection) ToMap(ctx *runtime.Context) (string, map[string]interf
 	return "logs_collected", resultMap
 }
 
-func (config *Collection) AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat string, eventLevels []string, retention int, logGroupClass string) {
+func (config *Collection) AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat string, eventLevels []string, eventIDs []int, filters []*EventFilter, retention int, logGroupClass string) {
 	if config.WinEvents == nil {
 		config.WinEvents = &Events{}
 	}
-	config.WinEvents.AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat, eventLevels, retention, logGroupClass)
+	config.WinEvents.AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat, eventLevels, eventIDs, filters, retention, logGroupClass)
 }
 
 func (config *Collection) AddLogFile(filePath, logGroupName, logStreamName string, timestampFormat, timezone, multiLineStartPattern, encoding string, retention int, logGroupClass string) {

tool/data/config/logs/eventConfig.go

@@ -5,22 +5,41 @@ package logs
 
 import "github.com/aws/amazon-cloudwatch-agent/tool/runtime"
 
+type EventFilter struct {
+	Type       string `json:"type"`
+	Expression string `json:"expression"`
+}
 type EventConfig struct {
-	EventName     string   `event_name`
-	EventLevels   []string `event_levels`
-	EventFormat   string   `event_format`
-	LogGroup      string   `log_group_name`
-	LogStream     string   `log_stream_name`
-	LogGroupClass string   `log_group_class`
-	Retention     int      `retention_in_days`
+	EventName     string         `json:"event_name"`
+	EventLevels   []string       `json:"event_levels"`
+	EventIDs      []int          `json:"event_ids"`
+	Filters       []*EventFilter `json:"filters"`
+	EventFormat   string         `json:"event_format"`
+	LogGroup      string         `json:"log_group_name"`
+	LogStream     string         `json:"log_stream_name"`
+	LogGroupClass string         `json:"log_group_class"`
+	Retention     int            `json:"retention_in_days"`
 }
 
 func (config *EventConfig) ToMap(ctx *runtime.Context) (string, map[string]interface{}) {
 	resultMap := make(map[string]interface{})
 	resultMap["event_name"] = config.EventName
-	if config.EventLevels != nil && len(config.EventLevels) > 0 {
+	if len(config.EventLevels) > 0 {
 		resultMap["event_levels"] = config.EventLevels
 	}
+	if len(config.EventIDs) > 0 {
+		resultMap["event_ids"] = config.EventIDs
+	}
+	if len(config.Filters) > 0 {
+		filters := make([]map[string]interface{}, len(config.Filters))
+		for i, filter := range config.Filters {
+			filters[i] = map[string]interface{}{
+				"type":       filter.Type,
+				"expression": filter.Expression,
+			}
+		}
+		resultMap["filters"] = filters
+	}
 	if config.EventFormat != "" {
 		resultMap["event_format"] = config.EventFormat
 	}

tool/data/config/logs/eventConfig_test.go

@@ -19,14 +19,24 @@ func TestEventConfig_ToMap(t *testing.T) {
 		LogStream:     "SystemStream",
 		LogGroupClass: util.InfrequentAccessLogGroupClass,
 		EventLevels:   []string{"INFORMATION", "WARNING", "ERROR", "SUCCESS"},
-		Retention:     1,
+		EventIDs:      []int{1001, 1002, 4624, 4625},
+		Filters: []*EventFilter{
+			{Type: "include", Expression: "P(UT|OST)"},
+			{Type: "exclude", Expression: ".*INFORMATION"},
+		},
+		Retention: 1,
 	}
 	ctx := &runtime.Context{}
 	key, value := conf.ToMap(ctx)
 	assert.Equal(t, "", key)
 	assert.Equal(t, map[string]interface{}{
-		"event_name":        "System",
-		"event_levels":      []string{"INFORMATION", "WARNING", "ERROR", "SUCCESS"},
+		"event_name":   "System",
+		"event_levels": []string{"INFORMATION", "WARNING", "ERROR", "SUCCESS"},
+		"event_ids":    []int{1001, 1002, 4624, 4625},
+		"filters": []map[string]interface{}{
+			{"type": "include", "expression": "P(UT|OST)"},
+			{"type": "exclude", "expression": ".*INFORMATION"},
+		},
 		"log_group_name":    "SystemGroup",
 		"log_stream_name":   "SystemStream",
 		"log_group_class":   util.InfrequentAccessLogGroupClass,

tool/data/config/logs/events.go

@@ -21,7 +21,7 @@ func (config *Events) ToMap(ctx *runtime.Context) (string, map[string]interface{
 	return "windows_events", resultMap
 }
 
-func (config *Events) AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat string, eventLevels []string, retention int, logGroupClass string) {
+func (config *Events) AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat string, eventLevels []string, eventIDs []int, filters []*EventFilter, retention int, logGroupClass string) {
 	if config.EventConfigs == nil {
 		config.EventConfigs = []*EventConfig{}
 	}
@@ -32,6 +32,8 @@ func (config *Events) AddWindowsEvent(eventName, logGroupName, logStreamName, ev
 		LogGroupClass: logGroupClass,
 		EventFormat:   eventFormat,
 		EventLevels:   eventLevels,
+		EventIDs:      eventIDs,
+		Filters:       filters,
 		Retention:     retention,
 	}
 	config.EventConfigs = append(config.EventConfigs, singleEvent)

tool/data/config/logs/events_test.go

@@ -14,17 +14,17 @@ import (
 
 func TestEvents_ToMap(t *testing.T) {
 	conf := new(Events)
-	conf.AddWindowsEvent("EN1", "LG1", "LS1", "", []string{"ERROR", "SUCCESS"}, 1, util.InfrequentAccessLogGroupClass)
-	conf.AddWindowsEvent("EN2", "LG2", "LS2", "xml", []string{"ERROR"}, 1, util.InfrequentAccessLogGroupClass)
+	conf.AddWindowsEvent("EN1", "LG1", "LS1", "", []string{"ERROR", "SUCCESS"}, []int{7632, 9653}, []*EventFilter{{Type: "include", Expression: "P(UT|OST)"}}, 1, util.InfrequentAccessLogGroupClass)
+	conf.AddWindowsEvent("EN2", "LG2", "LS2", "xml", []string{"ERROR"}, []int{5000, 4496}, []*EventFilter{{Type: "include", Expression: ".*Aunthentication|Database.*"}}, 1, util.InfrequentAccessLogGroupClass)
 
 	ctx := &runtime.Context{}
 	actualkey, actualValue := conf.ToMap(ctx)
 
 	expectedKey := "windows_events"
 	expectedVal := map[string]interface{}{
 		"collect_list": []map[string]interface{}{
-			{"event_name": "EN1", "event_levels": []string{"ERROR", "SUCCESS"}, "log_group_name": "LG1", "log_stream_name": "LS1", "retention_in_days": 1, "log_group_class": util.InfrequentAccessLogGroupClass},
-			{"event_name": "EN2", "event_levels": []string{"ERROR"}, "log_group_name": "LG2", "log_stream_name": "LS2", "event_format": "xml", "retention_in_days": 1, "log_group_class": util.InfrequentAccessLogGroupClass},
+			{"event_name": "EN1", "event_levels": []string{"ERROR", "SUCCESS"}, "event_ids": []int{7632, 9653}, "filters": []map[string]interface{}{{"type": "include", "expression": "P(UT|OST)"}}, "log_group_name": "LG1", "log_stream_name": "LS1", "retention_in_days": 1, "log_group_class": util.InfrequentAccessLogGroupClass},
+			{"event_name": "EN2", "event_levels": []string{"ERROR"}, "event_ids": []int{5000, 4496}, "filters": []map[string]interface{}{{"type": "include", "expression": ".*Aunthentication|Database.*"}}, "log_group_name": "LG2", "log_stream_name": "LS2", "event_format": "xml", "retention_in_days": 1, "log_group_class": util.InfrequentAccessLogGroupClass},
 		},
 	}
 	assert.Equal(t, expectedKey, actualkey)

tool/processors/question/events/events.go

@@ -5,9 +5,12 @@ package events
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
+	"strings"
 
 	"github.com/aws/amazon-cloudwatch-agent/tool/data"
+	"github.com/aws/amazon-cloudwatch-agent/tool/data/config/logs"
 	"github.com/aws/amazon-cloudwatch-agent/tool/processors"
 	"github.com/aws/amazon-cloudwatch-agent/tool/processors/tracesconfig"
 	"github.com/aws/amazon-cloudwatch-agent/tool/runtime"
@@ -29,6 +32,9 @@ const (
 
 	EventFormatXML       = "xml"
 	EventFormatPlainText = "text"
+
+	FilterTypeInclude = "include"
+	FilterTypeExclude = "exclude"
 )
 
 var Processor processors.Processor = &processor{}
@@ -67,6 +73,49 @@ func monitorEvents(ctx *runtime.Context, config *data.Config) {
 			}
 		}
 
+		var eventIDs []int
+		if util.Yes("Do you want to filter by specific Event IDs?") {
+			eventIDsInput := util.Ask("Enter Event IDs (comma-separated, e.g., 1001,1002,1003):")
+			if eventIDsInput != "" {
+				eventIDStrings := strings.Split(eventIDsInput, ",")
+				for _, idStr := range eventIDStrings {
+					idStr = strings.TrimSpace(idStr)
+					if id, err := strconv.Atoi(idStr); err == nil && id >= 0 && id <= 65535 {
+						eventIDs = append(eventIDs, id)
+					} else {
+						fmt.Printf("Warning: Invalid Event ID '%s' ignored\n", idStr)
+					}
+				}
+			}
+		}
+		var filters []*logs.EventFilter
+		if util.Yes("Do you want to add regex filters to include/exclude specific events?") {
+			for {
+				filterType := util.Choice("Filter type:", 1, []string{"Include (events matching regex)", "Exclude (events matching regex)"})
+				var filterTypeStr string
+				if filterType == "Include (events matching regex)" {
+					filterTypeStr = FilterTypeInclude
+				} else {
+					filterTypeStr = FilterTypeExclude
+				}
+				regexPattern := util.Ask("Enter regex pattern:")
+				if regexPattern != "" {
+					if _, err := regexp.Compile(regexPattern); err != nil {
+						fmt.Printf("Error: Invalid regex pattern '%s': %v\n", regexPattern, err)
+						continue
+					}
+					filter := &logs.EventFilter{
+						Type:       filterTypeStr,
+						Expression: regexPattern,
+					}
+					filters = append(filters, filter)
+				}
+				if !util.Yes("Do you want to add another regex filter?") {
+					break
+				}
+			}
+		}
+
 		logGroupName := util.AskWithDefault("Log group name:", eventName)
 
 		logStreamNameHint := "{instance_id}"
@@ -102,7 +151,7 @@ func monitorEvents(ctx *runtime.Context, config *data.Config) {
 		if err == nil {
 			retention = i
 		}
-		logsConf.AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat, eventLevels, retention, logGroupClass)
+		logsConf.AddWindowsEvent(eventName, logGroupName, logStreamName, eventFormat, eventLevels, eventIDs, filters, retention, logGroupClass)
 
 		yes = util.Yes(fmt.Sprintf("Do you want to specify any additional %s to monitor?", WindowsEventLog))
 		if !yes {

tool/processors/question/events/events_test.go

@@ -22,15 +22,15 @@ func TestProcessor_Process(t *testing.T) {
 	ctx.OsParameter = util.OsTypeWindows
 	conf := new(data.Config)
 
-	testutil.Type(inputChan, "", "", "", "", "", "", "", "", "", "", "", "", "2")
+	testutil.Type(inputChan, "", "", "", "", "", "", "", "", "1001,1002", "", "", ".*error.*", "2", "", "", "", "", "", "2")
 	Processor.Process(ctx, conf)
 	_, confMap := conf.ToMap(ctx)
 	assert.Equal(t, map[string]interface{}{
 		"logs": map[string]interface{}{
 			"logs_collected": map[string]interface{}{
 				"windows_events": map[string]interface{}{
 					"collect_list": []map[string]interface{}{
-						{"event_name": "System", "event_format": "xml", "event_levels": []string{VERBOSE, INFORMATION, WARNING, ERROR, CRITICAL}, "log_group_name": "System", "log_group_class": util.StandardLogGroupClass, "log_stream_name": "{instance_id}", "retention_in_days": -1}}}}}},
+						{"event_name": "System", "event_format": "xml", "event_levels": []string{VERBOSE, INFORMATION, WARNING, ERROR, CRITICAL}, "event_ids": []int{1001, 1002}, "filters": []map[string]interface{}{{"type": "include", "expression": ".*error.*"}}, "log_group_name": "System", "log_group_class": util.StandardLogGroupClass, "log_stream_name": "{instance_id}", "retention_in_days": -1}}}}}},
 		confMap)
 }