aws
diff --git a/‎cmd/config-translator/translator_test.go‎
Lines changed: 15 additions & 0 deletions b/‎cmd/config-translator/translator_test.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎plugins/inputs/windows_event_log/windows_event_log.go‎
Lines changed: 3 additions & 1 deletion b/‎plugins/inputs/windows_event_log/windows_event_log.go‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎plugins/inputs/windows_event_log/wineventlog/utils.go‎
Lines changed: 20 additions & 5 deletions b/‎plugins/inputs/windows_event_log/wineventlog/utils.go‎
Lines changed: 20 additions & 5 deletions
diff --git a/‎plugins/inputs/windows_event_log/wineventlog/utils_test.go‎
Lines changed: 36 additions & 3 deletions b/‎plugins/inputs/windows_event_log/wineventlog/utils_test.go‎
Lines changed: 36 additions & 3 deletions
diff --git a/‎plugins/inputs/windows_event_log/wineventlog/wineventlog.go‎
Lines changed: 16 additions & 3 deletions b/‎plugins/inputs/windows_event_log/wineventlog/wineventlog.go‎
Lines changed: 16 additions & 3 deletions
@@ -103,13 +103,26 @@ func TestLogWindowsEventConfig(t *testing.T) {
 	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidEventName.json", false, expectedErrorMap)
 	expectedErrorMap1 := map[string]int{}
 	expectedErrorMap1["required"] = 2
+	expectedErrorMap1["number_any_of"] = 1
 	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithMissingEventNameAndLevel.json", false, expectedErrorMap1)
 	expectedErrorMap2 := map[string]int{}
 	expectedErrorMap2["invalid_type"] = 1
 	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidEventLevelType.json", false, expectedErrorMap2)
 	expectedErrorMap3 := map[string]int{}
 	expectedErrorMap3["enum"] = 1
 	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidEventFormatType.json", false, expectedErrorMap3)
+
+	//New tests for event_ids feature
+	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidEventFormatType.json", false, expectedErrorMap3)
+	expectedErrorMap4 := map[string]int{}
+	expectedErrorMap4["invalid_type"] = 1
+	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithInvalidEventIdsType.json", false, expectedErrorMap4)
+
+	expectedErrorMap5 := map[string]int{}
+	expectedErrorMap5["required"] = 1
+	expectedErrorMap5["number_any_of"] = 1
+	checkIfSchemaValidateAsExpected(t, "../../translator/config/sampleSchema/invalidLogWindowsEventsWithMissingEventIdsAndEventLevels.json", false, expectedErrorMap5)
+
 }
 
 func TestMetricsConfig(t *testing.T) {
@@ -198,7 +211,9 @@ func TestSampleConfigSchema(t *testing.T) {
 		for _, file := range files {
 			if re.MatchString(file.Name()) {
 				t.Logf("Validating ../../translator/tocwconfig/sampleConfig/%s\n", file.Name())
+
 				checkIfSchemaValidateAsExpected(t, "../../translator/tocwconfig/sampleConfig/"+file.Name(), true, map[string]int{})
+
 				t.Logf("Validated ../../translator/tocwconfig/sampleConfig/%s\n", file.Name())
 			}
 		}
 
@@ -31,6 +31,7 @@ var startOnlyOnce sync.Once
 type EventConfig struct {
 	Name          string   `toml:"event_name"`
 	Levels        []string `toml:"event_levels"`
+	EventIDs      []int    `toml:"event_ids"`
 	RenderFormat  string   `toml:"event_format"`
 	BatchReadSize int      `toml:"batch_read_size"`
 	LogGroupName  string   `toml:"log_group_name"`
@@ -39,7 +40,6 @@ type EventConfig struct {
 	Destination   string   `toml:"destination"`
 	Retention     int      `toml:"retention_in_days"`
 }
-
 type Plugin struct {
 	FileStateFolder string          `toml:"file_state_folder"`
 	Events          []EventConfig   `toml:"event_config"`
@@ -61,6 +61,7 @@ func (s *Plugin) SampleConfig() string {
 	[[inputs.windows_event_log.event_config]]
 	event_name = "System"
 	event_levels = ["2", "3"]
+	event_ids = [1001, 1002]
 	batch_read_size = 1
 	log_group_name = "System"
 	log_stream_name = "STREAM_NAME"
@@ -106,6 +107,7 @@ func (s *Plugin) Start(acc telegraf.Accumulator) error {
 		eventLog := wineventlog.NewEventLog(
 			eventConfig.Name,
 			eventConfig.Levels,
+			eventConfig.EventIDs,
 			eventConfig.LogGroupName,
 			eventConfig.LogStreamName,
 			eventConfig.RenderFormat,
 
@@ -26,10 +26,12 @@ const (
 	bookmarkTemplate         = `<BookmarkList><Bookmark Channel="%s" RecordId="%d" IsCurrent="True"/></BookmarkList>`
 	eventLogQueryTemplate    = `<QueryList><Query Id="0"><Select Path="%s">*[System[%s]]</Select></Query></QueryList>`
 	eventLogLevelFilter      = "Level='%s'"
+	eventLogeventIDFilter    = "EventID='%d'"
 	eventIgnoreOldFilter     = "TimeCreated[timediff(@SystemTime) &lt;= %d]"
 	eventRangeFilter         = "EventRecordID &gt; %d and EventRecordID &lt;= %d"
 	emptySpaceScanLength     = 100
 	UnknownBytesPerCharacter = 0
+	cutOffPeriod             = time.Hour * 24 * 14
 
 	CRITICAL    = "CRITICAL"
 	ERROR       = "ERROR"
@@ -66,16 +68,16 @@ func CreateBookmark(w WindowsEventAPI, channel string, recordID uint64) (h EvtHa
 	return h, nil
 }
 
-func CreateQuery(path string, levels []string) (*uint16, error) {
-	return createWindowsEventFilter(path, levels)
+func CreateQuery(path string, levels []string, eventIDs []int) (*uint16, error) {
+	return createWindowsEventFilter(path, levels, eventIDs)
 }
 
-func CreateRangeQuery(path string, levels []string, r state.Range) (*uint16, error) {
+func CreateRangeQuery(path string, levels []string, eventIDs []int, r state.Range) (*uint16, error) {
 	rangeFilter := fmt.Sprintf(eventRangeFilter, r.StartOffset(), r.EndOffset())
-	return createWindowsEventFilter(path, levels, rangeFilter)
+	return createWindowsEventFilter(path, levels, eventIDs, rangeFilter)
 }
 
-func createWindowsEventFilter(path string, levels []string, additionalFilters ...string) (*uint16, error) {
+func createWindowsEventFilter(path string, levels []string, eventIDs []int, additionalFilters ...string) (*uint16, error) {
 	// Add log levels
 	var levelsFilter string
 	formattedLevels := make([]string, len(levels))
@@ -86,6 +88,16 @@ func createWindowsEventFilter(path string, levels []string, additionalFilters ..
 		levelsFilter = fmt.Sprintf("(%s)", strings.Join(formattedLevels, " or "))
 	}
 
+	// Add eventIDs
+	var eventIDFilter string
+	formattedeventIDs := make([]string, len(eventIDs))
+	for i, eventIDs := range eventIDs {
+		formattedeventIDs[i] = fmt.Sprintf(eventLogeventIDFilter, eventIDs)
+	}
+	if len(formattedeventIDs) > 0 {
+		eventIDFilter = fmt.Sprintf("(%s)", strings.Join(formattedeventIDs, " or "))
+	}
+
 	// Ignore events older than 2 weeks
 	cutOffPeriod := (time.Hour * 24 * 14).Nanoseconds()
 	ignoreOlderThanTwoWeeksFilter := fmt.Sprintf(eventIgnoreOldFilter, cutOffPeriod/int64(time.Millisecond))
@@ -94,6 +106,9 @@ func createWindowsEventFilter(path string, levels []string, additionalFilters ..
 	if levelsFilter != "" {
 		filters = append(filters, levelsFilter)
 	}
+	if eventIDFilter != "" {
+		filters = append(filters, eventIDFilter)
+	}
 	filters = append(filters, ignoreOlderThanTwoWeeksFilter)
 	// Add any additional filters (e.g. record IDs)
 	if len(additionalFilters) > 0 {
 
@@ -132,11 +132,11 @@ func TestInsertPlaceholderValues(t *testing.T) {
 		})
 	}
 }
-
 func TestCreateQuery(t *testing.T) {
 	tests := []struct {
 		name     string
 		path     string
+		eventIDs []int
 		levels   []string
 		expected string
 	}{
@@ -146,18 +146,43 @@ func TestCreateQuery(t *testing.T) {
 			levels:   []string{"2"},
 			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
 		},
+		{
+			name:     "Single eventIDs filter",
+			path:     "Application",
+			eventIDs: []int{1002},
+			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[(EventID='1002') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
 		{
 			name:     "Multiple level filters",
 			path:     "System",
 			levels:   []string{"2", "3", "4"},
 			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(Level='2' or Level='3' or Level='4') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
 		},
+		{
+			name:     "Multiple eventIDs filters",
+			path:     "System",
+			eventIDs: []int{100, 200, 300},
+			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(EventID='100' or EventID='200' or EventID='300') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
 		{
 			name:     "No level filters",
 			path:     "Security",
 			levels:   []string{},
 			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
 		},
+		{
+			name:     "No eventIDs filters",
+			path:     "Security",
+			eventIDs: []int{},
+			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Both level and eventIDs filters",
+			path:     "Security",
+			levels:   []string{"2"},
+			eventIDs: []int{100},
+			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[(Level='2') and (EventID='100') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
 		{
 			name:     "Empty level filters",
 			path:     "Application",
@@ -174,7 +199,7 @@ func TestCreateQuery(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			ptr, err := CreateQuery(tc.path, tc.levels)
+			ptr, err := CreateQuery(tc.path, tc.levels, tc.eventIDs)
 			assert.NoError(t, err)
 			assert.NotNil(t, ptr)
 			assert.Equal(t, tc.expected, utf16PtrToString(ptr))
@@ -187,6 +212,7 @@ func TestCreateRangeQuery(t *testing.T) {
 		name     string
 		path     string
 		levels   []string
+		eventIDs []int
 		r        state.Range
 		expected string
 	}{
@@ -211,6 +237,13 @@ func TestCreateRangeQuery(t *testing.T) {
 			r:        state.NewRange(50, 150),
 			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 50 and EventRecordID &lt;= 150]]</Select></Query></QueryList>`,
 		},
+		{
+			name:     "Multiple eventIDs with range",
+			path:     "System",
+			eventIDs: []int{45, 99},
+			r:        state.NewRange(1000, 2000),
+			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(EventID='45' or EventID='99') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 1000 and EventRecordID &lt;= 2000]]</Select></Query></QueryList>`,
+		},
 		{
 			name:     "Empty levels with range",
 			path:     "Application",
@@ -243,7 +276,7 @@ func TestCreateRangeQuery(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			ptr, err := CreateRangeQuery(tc.path, tc.levels, tc.r)
+			ptr, err := CreateRangeQuery(tc.path, tc.levels, tc.eventIDs, tc.r)
 			assert.NoError(t, err)
 			assert.NotNil(t, ptr)
 			assert.Equal(t, tc.expected, utf16PtrToString(ptr))
 
@@ -52,6 +52,7 @@ func (e *wevtAPIError) Error() string {
 type windowsEventLog struct {
 	name          string
 	levels        []string
+	eventIDs      []int
 	logGroupName  string
 	logStreamName string
 	logGroupClass string
@@ -70,10 +71,11 @@ type windowsEventLog struct {
 	resubscribeCh chan struct{}
 }
 
-func NewEventLog(name string, levels []string, logGroupName, logStreamName, renderFormat, destination string, stateManager state.FileRangeManager, maximumToRead int, retention int, logGroupClass string) *windowsEventLog {
+func NewEventLog(name string, levels []string, eventIDs []int, logGroupName, logStreamName, renderFormat, destination string, stateManager state.FileRangeManager, maximumToRead int, retention int, logGroupClass string) *windowsEventLog {
 	eventLog := &windowsEventLog{
 		name:          name,
 		levels:        levels,
+		eventIDs:      eventIDs,
 		logGroupName:  logGroupName,
 		logStreamName: logStreamName,
 		logGroupClass: logGroupClass,
@@ -92,6 +94,17 @@ func NewEventLog(name string, levels []string, logGroupName, logStreamName, rend
 }
 
 func (w *windowsEventLog) Init() error {
+	const (
+		minEventID = 0
+		maxEventID = 65535
+	)
+
+	for _, eventID := range w.eventIDs {
+		if eventID < minEventID || eventID > maxEventID {
+			return fmt.Errorf("invalid event ID: %d, event IDs must be between %d and %d", eventID, minEventID, maxEventID)
+		}
+	}
+
 	go w.stateManager.Run(state.Notification{Done: w.done})
 	restored, _ := w.stateManager.Restore()
 	// Do note that the end offset is inclusive here as opposed to exclusive like done
@@ -231,7 +244,7 @@ func (w *windowsEventLog) open() error {
 	if err != nil {
 		return err
 	}
-	query, err := CreateQuery(w.name, w.levels)
+	query, err := CreateQuery(w.name, w.levels, w.eventIDs)
 	if err != nil {
 		return err
 	}
@@ -248,7 +261,7 @@ func (w *windowsEventLog) openAtRange(r state.Range) (EvtHandle, error) {
 	if err != nil {
 		return 0, err
 	}
-	query, err := CreateRangeQuery(w.name, w.levels, r)
+	query, err := CreateRangeQuery(w.name, w.levels, w.eventIDs, r)
 	if err != nil {
 		return 0, err
 	}