Small refactor for Windows Event Log gap handling (#1777)

Author: duhminick

plugins/inputs/windows_event_log/wineventlog/utils.go

@@ -15,7 +15,6 @@ import (
 	"strings"
 	"syscall"
 	"time"
-	"unsafe"
 
 	"golang.org/x/text/encoding/unicode"
 	"golang.org/x/text/transform"
@@ -238,17 +237,3 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Datum) string {
 	}
 	return sb.String()
 }
-
-func utf16PtrToString(ptr *uint16) string {
-	utf16Slice := make([]uint16, 0, 1024)
-	for i := 0; ; i++ {
-		// Get the value at memory address ptr + (i * sizeof(uint16))
-		element := *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(i)*unsafe.Sizeof(uint16(0))))
-
-		if element == 0 {
-			break // Null terminator found
-		}
-		utf16Slice = append(utf16Slice, element)
-	}
-	return syscall.UTF16ToString(utf16Slice)
-}

plugins/inputs/windows_event_log/wineventlog/utils_test.go

@@ -8,7 +8,9 @@ package wineventlog
 
 import (
 	"encoding/hex"
+	"syscall"
 	"testing"
+	"unsafe"
 
 	"github.com/stretchr/testify/assert"
 
@@ -252,3 +254,17 @@ func TestCreateRangeQuery(t *testing.T) {
 func resetState() {
 	NumberOfBytesPerCharacter = 0
 }
+
+func utf16PtrToString(ptr *uint16) string {
+	utf16Slice := make([]uint16, 0, 1024)
+	for i := 0; ; i++ {
+		// Get the value at memory address ptr + (i * sizeof(uint16))
+		element := *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(i)*unsafe.Sizeof(uint16(0))))
+
+		if element == 0 {
+			break // Null terminator found
+		}
+		utf16Slice = append(utf16Slice, element)
+	}
+	return syscall.UTF16ToString(utf16Slice)
+}

plugins/inputs/windows_event_log/wineventlog/wineventlog.go

@@ -302,14 +302,10 @@ func (w *windowsEventLog) readGaps() []*windowsEventLogRecord {
 			continue
 		}
 
-		handle, err := w.openAtRange(r)
-		defer func() {
-			winEventAPI.EvtClose(handle)
-		}()
+		readRecords, err := w.readGap(r)
 		if err != nil {
 			continue
 		}
-		readRecords := w.readFromHandle(handle)
 		records = append(records, readRecords...)
 	}
 
@@ -319,6 +315,18 @@ func (w *windowsEventLog) readGaps() []*windowsEventLogRecord {
 	return records
 }
 
+func (w *windowsEventLog) readGap(r state.Range) ([]*windowsEventLogRecord, error) {
+	handle, err := w.openAtRange(r)
+	defer func() {
+		winEventAPI.EvtClose(handle)
+	}()
+	if err != nil {
+		return nil, err
+	}
+	readRecords := w.readFromHandle(handle)
+	return readRecords, nil
+}
+
 func (w *windowsEventLog) read() []*windowsEventLogRecord {
 	return w.readFromHandle(w.eventHandle)
 }

plugins/inputs/windows_event_log/wineventlog/wineventlog_test.go

@@ -182,15 +182,15 @@ func TestReadGaps(t *testing.T) {
 		winEventAPI = mockAPI
 
 		// This is per EvtHandle hence the necessity to break up these calls
-		// 0, 1, 4 were "sent" previously (should be skipped)
-		mockAPI.AddMockEventsForQuery(createMockEventRecords(0, 2, 5))
+		// 1, 2, 5 were "sent" previously (should be skipped)
+		mockAPI.AddMockEventsForQuery(createMockEventRecords(1, 2, 5))
 		// Gap records (should be read by gap reading)
 		mockAPI.AddMockEventsForQuery(createMockEventRecords(3, 4))
 
 		elog.Init()
 
 		// Simulate new subscription events arriving
-		mockAPI.SimulateSubscriptionEvents(createMockEventRecords(5, 6, 7, 8))
+		mockAPI.SimulateSubscriptionEvents(createMockEventRecords(6, 7, 8))
 
 		var records []logs.LogEvent
 		// SetOutput calls run as well hence the omission of elog.run()
@@ -202,7 +202,7 @@ func TestReadGaps(t *testing.T) {
 		elog.Stop()
 
 		expectedRecords := []int{
-			3, 4, 5, 6, 7, 8,
+			3, 4, 6, 7, 8,
 		}
 
 		assert.Empty(t, elog.gapsToRead, "Gaps should be cleared after reading")