Agent Health Metric for Windows Events Filtering (#1787)

Author: Paamicky

extension/agenthealth/handler/useragent/useragent.go

@@ -33,6 +33,9 @@ const (
 	flagEnhancedContainerInsights = "enhanced_container_insights"
 	flagSELinux                   = "selinux"
 	flagROSA                      = "rosa"
+	FlagWindowsEventIDs           = "win_event_ids"
+	FlagWindowsEventFilters       = "win_event_filters"
+	FlagWindowsEventLevels        = "win_event_levels"
 	separator                     = " "
 
 	typeInputs     = "inputs"
@@ -79,9 +82,11 @@ var _ UserAgent = (*userAgent)(nil)
 func (ua *userAgent) SetComponents(otelCfg *otelcol.Config, telegrafCfg *telegraf.Config) {
 	ua.dataLock.Lock()
 	defer ua.dataLock.Unlock()
+
 	for _, input := range telegrafCfg.Inputs {
 		ua.inputs.Add(input.Config.Name)
 	}
+
 	for _, output := range telegrafCfg.Outputs {
 		ua.outputs.Add(output.Config.Name)
 	}

plugins/inputs/windows_event_log/windows_event_log.go

@@ -15,6 +15,7 @@ import (
 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/plugins/inputs"
 
+	"github.com/aws/amazon-cloudwatch-agent/extension/agenthealth/handler/useragent"
 	"github.com/aws/amazon-cloudwatch-agent/internal/logscommon"
 	"github.com/aws/amazon-cloudwatch-agent/internal/state"
 	"github.com/aws/amazon-cloudwatch-agent/logs"
@@ -92,6 +93,7 @@ func (s *Plugin) Start(acc telegraf.Accumulator) error {
 		return nil
 	}
 
+	s.detectFeatures()
 	monitor := newServiceMonitor()
 	for _, eventConfig := range s.Events {
 		// Assume no 2 EventConfigs have the same combination of:
@@ -156,3 +158,18 @@ func (s *Plugin) Stop() {
 func init() {
 	inputs.Add("windows_event_log", func() telegraf.Input { return &Plugin{} })
 }
+func (s *Plugin) detectFeatures() {
+	if ua := useragent.Get(); ua != nil {
+		for _, eventConfig := range s.Events {
+			if len(eventConfig.EventIDs) > 0 {
+				ua.AddFeatureFlags(useragent.FlagWindowsEventIDs)
+			}
+			if len(eventConfig.Filters) > 0 {
+				ua.AddFeatureFlags(useragent.FlagWindowsEventFilters)
+			}
+			if len(eventConfig.Levels) > 0 {
+				ua.AddFeatureFlags(useragent.FlagWindowsEventLevels)
+			}
+		}
+	}
+}

plugins/inputs/windows_event_log/windows_event_log_test.go

@@ -13,6 +13,9 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/aws/amazon-cloudwatch-agent/extension/agenthealth/handler/useragent"
+	"github.com/aws/amazon-cloudwatch-agent/plugins/inputs/windows_event_log/wineventlog"
 )
 
 // TestGetStateFilePathGood tests getStateFilePath with good input.
@@ -105,3 +108,40 @@ func TestWindowsDuplicateStart(t *testing.T) {
 	plugin.Start(nil)
 	require.Equal(t, 1, len(plugin.newEvents), "Start should be ran only once so there should be only 1 new event")
 }
+
+func TestDetectFeatures(t *testing.T) {
+	plugin := &Plugin{
+		Events: []EventConfig{
+			{
+				EventIDs: []int{1000, 1001},
+			},
+			{
+				Filters: []*wineventlog.EventFilter{{Expression: "test"}},
+				Levels:  []string{"ERROR"},
+			},
+		},
+	}
+
+	ua := useragent.Get()
+	plugin.detectFeatures()
+
+	header := ua.Header(true)
+	assert.Contains(t, header, useragent.FlagWindowsEventIDs)
+	assert.Contains(t, header, useragent.FlagWindowsEventFilters)
+	assert.Contains(t, header, useragent.FlagWindowsEventLevels)
+
+	// Test that only configured features are detected
+	plugin = &Plugin{
+		Events: []EventConfig{{
+			EventIDs: []int{1000},
+		}},
+	}
+	ua = useragent.Get()
+	ua.Reset()
+	plugin.detectFeatures()
+
+	header = ua.Header(true)
+	assert.Contains(t, header, useragent.FlagWindowsEventIDs)
+	assert.NotContains(t, header, useragent.FlagWindowsEventFilters)
+	assert.NotContains(t, header, useragent.FlagWindowsEventLevels)
+}