Restore and send gaps for Windows events (#1747)

Co-authored-by: Jeffrey Chien <[email protected]>

Author: duhminick

plugins/inputs/windows_event_log/wineventlog/utils.go

@@ -15,16 +15,20 @@ import (
 	"strings"
 	"syscall"
 	"time"
+	"unsafe"
 
 	"golang.org/x/text/encoding/unicode"
 	"golang.org/x/text/transform"
+
+	"github.com/aws/amazon-cloudwatch-agent/internal/state"
 )
 
 const (
 	bookmarkTemplate         = `<BookmarkList><Bookmark Channel="%s" RecordId="%d" IsCurrent="True"/></BookmarkList>`
-	eventLogQueryTemplate    = `<QueryList><Query Id="0"><Select Path="%s">%s</Select></Query></QueryList>`
+	eventLogQueryTemplate    = `<QueryList><Query Id="0"><Select Path="%s">*[System[%s]]</Select></Query></QueryList>`
 	eventLogLevelFilter      = "Level='%s'"
 	eventIgnoreOldFilter     = "TimeCreated[timediff(@SystemTime) &lt;= %d]"
+	eventRangeFilter         = "EventRecordID &gt; %d and EventRecordID &lt;= %d"
 	emptySpaceScanLength     = 100
 	UnknownBytesPerCharacter = 0
 
@@ -38,10 +42,10 @@ const (
 
 var NumberOfBytesPerCharacter = UnknownBytesPerCharacter
 
-func RenderEventXML(eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
+func RenderEventXML(w WindowsEventAPI, eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
 	var bufferUsed, propertyCount uint32
 
-	if err := EvtRender(0, eventHandle, EvtRenderEventXml, uint32(len(renderBuf)), &renderBuf[0], &bufferUsed, &propertyCount); err != nil {
+	if err := w.EvtRender(0, eventHandle, EvtRenderEventXml, uint32(len(renderBuf)), &renderBuf[0], &bufferUsed, &propertyCount); err != nil {
 		return nil, fmt.Errorf("error when rendering events. Details: %v", err)
 	}
 
@@ -50,39 +54,54 @@ func RenderEventXML(eventHandle EvtHandle, renderBuf []byte) ([]byte, error) {
 	return utf16ToUTF8Bytes(renderBuf, bufferUsed)
 }
 
-func CreateBookmark(channel string, recordID uint64) (h EvtHandle, err error) {
+func CreateBookmark(w WindowsEventAPI, channel string, recordID uint64) (h EvtHandle, err error) {
 	xml := fmt.Sprintf(bookmarkTemplate, channel, recordID)
 	p, err := syscall.UTF16PtrFromString(xml)
 	if err != nil {
 		return 0, err
 	}
-	h, err = EvtCreateBookmark(p)
+	h, err = w.EvtCreateBookmark(p)
 	if err != nil {
 		return 0, fmt.Errorf("error when creating a bookmark. Details: %v", err)
 	}
 	return h, nil
 }
 
 func CreateQuery(path string, levels []string) (*uint16, error) {
-	var filterLevels string
-	for _, level := range levels {
-		if filterLevels == "" {
-			filterLevels = fmt.Sprintf(eventLogLevelFilter, level)
-		} else {
-			filterLevels = filterLevels + " or " + fmt.Sprintf(eventLogLevelFilter, level)
-		}
+	return createWindowsEventFilter(path, levels)
+}
+
+func CreateRangeQuery(path string, levels []string, r state.Range) (*uint16, error) {
+	rangeFilter := fmt.Sprintf(eventRangeFilter, r.StartOffset(), r.EndOffset())
+	return createWindowsEventFilter(path, levels, rangeFilter)
+}
+
+func createWindowsEventFilter(path string, levels []string, additionalFilters ...string) (*uint16, error) {
+	// Add log levels
+	var levelsFilter string
+	formattedLevels := make([]string, len(levels))
+	for i, level := range levels {
+		formattedLevels[i] = fmt.Sprintf(eventLogLevelFilter, level)
+	}
+	if len(formattedLevels) > 0 {
+		levelsFilter = fmt.Sprintf("(%s)", strings.Join(formattedLevels, " or "))
 	}
 
-	//Ignore events older than 2 weeks
+	// Ignore events older than 2 weeks
 	cutOffPeriod := (time.Hour * 24 * 14).Nanoseconds()
 	ignoreOlderThanTwoWeeksFilter := fmt.Sprintf(eventIgnoreOldFilter, cutOffPeriod/int64(time.Millisecond))
-	if filterLevels != "" {
-		filterLevels = "*[System[(" + filterLevels + ") and " + ignoreOlderThanTwoWeeksFilter + "]]"
-	} else {
-		filterLevels = "*[System[" + ignoreOlderThanTwoWeeksFilter + "]]"
+
+	var filters []string
+	if levelsFilter != "" {
+		filters = append(filters, levelsFilter)
+	}
+	filters = append(filters, ignoreOlderThanTwoWeeksFilter)
+	// Add any additional filters (e.g. record IDs)
+	if len(additionalFilters) > 0 {
+		filters = append(filters, strings.Join(additionalFilters, " and "))
 	}
 
-	xml := fmt.Sprintf(eventLogQueryTemplate, path, filterLevels)
+	xml := fmt.Sprintf(eventLogQueryTemplate, path, strings.Join(filters, " and "))
 	return syscall.UTF16PtrFromString(xml)
 }
 
@@ -219,3 +238,17 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Datum) string {
 	}
 	return sb.String()
 }
+
+func utf16PtrToString(ptr *uint16) string {
+	utf16Slice := make([]uint16, 0, 1024)
+	for i := 0; ; i++ {
+		// Get the value at memory address ptr + (i * sizeof(uint16))
+		element := *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(i)*unsafe.Sizeof(uint16(0))))
+
+		if element == 0 {
+			break // Null terminator found
+		}
+		utf16Slice = append(utf16Slice, element)
+	}
+	return syscall.UTF16ToString(utf16Slice)
+}

plugins/inputs/windows_event_log/wineventlog/utils_test.go

@@ -11,6 +11,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/amazon-cloudwatch-agent/internal/state"
 )
 
 func TestPayload_Value(t *testing.T) {
@@ -129,6 +131,124 @@ func TestInsertPlaceholderValues(t *testing.T) {
 	}
 }
 
+func TestCreateQuery(t *testing.T) {
+	tests := []struct {
+		name     string
+		path     string
+		levels   []string
+		expected string
+	}{
+		{
+			name:     "Single level filter",
+			path:     "Application",
+			levels:   []string{"2"},
+			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Multiple level filters",
+			path:     "System",
+			levels:   []string{"2", "3", "4"},
+			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(Level='2' or Level='3' or Level='4') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "No level filters",
+			path:     "Security",
+			levels:   []string{},
+			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Empty level filters",
+			path:     "Application",
+			levels:   nil,
+			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Path with special characters",
+			path:     "Microsoft-Windows-Security-Auditing",
+			levels:   []string{"2"},
+			expected: `<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Security-Auditing">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000]]]</Select></Query></QueryList>`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ptr, err := CreateQuery(tc.path, tc.levels)
+			assert.NoError(t, err)
+			assert.NotNil(t, ptr)
+			assert.Equal(t, tc.expected, utf16PtrToString(ptr))
+		})
+	}
+}
+
+func TestCreateRangeQuery(t *testing.T) {
+	tests := []struct {
+		name     string
+		path     string
+		levels   []string
+		r        state.Range
+		expected string
+	}{
+		{
+			name:     "Single level with range",
+			path:     "Application",
+			levels:   []string{"2"},
+			r:        state.NewRange(100, 200),
+			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 100 and EventRecordID &lt;= 200]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Multiple levels with range",
+			path:     "System",
+			levels:   []string{"2", "3"},
+			r:        state.NewRange(1000, 2000),
+			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(Level='2' or Level='3') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 1000 and EventRecordID &lt;= 2000]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "No levels with range",
+			path:     "Security",
+			levels:   []string{},
+			r:        state.NewRange(50, 150),
+			expected: `<QueryList><Query Id="0"><Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 50 and EventRecordID &lt;= 150]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Empty levels with range",
+			path:     "Application",
+			levels:   nil,
+			r:        state.NewRange(0, 100),
+			expected: `<QueryList><Query Id="0"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 0 and EventRecordID &lt;= 100]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Large range values",
+			path:     "System",
+			levels:   []string{"2", "3", "4"},
+			r:        state.NewRange(999999, 1000000),
+			expected: `<QueryList><Query Id="0"><Select Path="System">*[System[(Level='2' or Level='3' or Level='4') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 999999 and EventRecordID &lt;= 1000000]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Zero start range",
+			path:     "Test",
+			levels:   []string{"2"},
+			r:        state.NewRange(0, 1),
+			expected: `<QueryList><Query Id="0"><Select Path="Test">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 0 and EventRecordID &lt;= 1]]</Select></Query></QueryList>`,
+		},
+		{
+			name:     "Path with special characters and range",
+			path:     "Microsoft-Windows-Kernel-General",
+			levels:   []string{"2"},
+			r:        state.NewRange(12345, 67890),
+			expected: `<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-General">*[System[(Level='2') and TimeCreated[timediff(@SystemTime) &lt;= 1209600000] and EventRecordID &gt; 12345 and EventRecordID &lt;= 67890]]</Select></Query></QueryList>`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ptr, err := CreateRangeQuery(tc.path, tc.levels, tc.r)
+			assert.NoError(t, err)
+			assert.NotNil(t, ptr)
+			assert.Equal(t, tc.expected, utf16PtrToString(ptr))
+		})
+	}
+}
+
 func resetState() {
 	NumberOfBytesPerCharacter = 0
 }

plugins/inputs/windows_event_log/wineventlog/sys_call.go renamed to plugins/inputs/windows_event_log/wineventlog/windows_event_api.go

@@ -10,6 +10,19 @@ import (
 	"unsafe"
 )
 
+// WindowsEventAPI defines the interface for Windows Event Log API operations
+// This allows us to mock the Windows API calls for testing
+type WindowsEventAPI interface {
+	EvtSubscribe(session EvtHandle, signalEvent uintptr, channelPath *uint16, query *uint16, bookmark EvtHandle, context uintptr, callback syscall.Handle, flags EvtSubscribeFlag) (handle EvtHandle, err error)
+	EvtQuery(session EvtHandle, path *uint16, query *uint16, flags EvtQueryFlag) (EvtHandle, error)
+	EvtNext(resultSet EvtHandle, eventArraySize uint32, eventArray *EvtHandle, timeout uint32, flags uint32, numReturned *uint32) error
+	EvtClose(handle EvtHandle) error
+	EvtRender(context EvtHandle, fragment EvtHandle, flags EvtRenderFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32, propertyCount *uint32) error
+	EvtCreateBookmark(bookmarkXML *uint16) (handle EvtHandle, err error)
+	EvtFormatMessage(publisherMetadata EvtHandle, event EvtHandle, messageID uint32, valueCount uint32, values uintptr, flags EvtFormatMessageFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32) error
+	EvtOpenPublisherMetadata(session EvtHandle, publisherId *uint16, logFilePath *uint16, locale uint32, flags uint32) (EvtHandle, error)
+}
+
 // EvtHandle is a handle to the event log.
 type EvtHandle uintptr
 
@@ -20,6 +33,14 @@ const (
 	EvtSubscribeStartAfterBookmark EvtSubscribeFlag = 3
 )
 
+// EvtQueryFlag defines the values that specify how to return the query results and whether you are query against a channel or log file.
+// https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtquery
+type EvtQueryFlag uint32
+
+const (
+	EvtQueryChannelPath EvtQueryFlag = 1
+)
+
 // EvtRenderFlag defines the values that specify what to render.
 type EvtRenderFlag uint32
 
@@ -45,6 +66,7 @@ var (
 	// For Windows versions newer than 2003
 	modwevtapi                   = syscall.NewLazyDLL("wevtapi.dll")
 	procEvtSubscribe             = modwevtapi.NewProc("EvtSubscribe")
+	procEvtQuery                 = modwevtapi.NewProc("EvtQuery")
 	procEvtCreateBookmark        = modwevtapi.NewProc("EvtCreateBookmark")
 	procEvtCreateRenderContext   = modwevtapi.NewProc("EvtCreateRenderContext")
 	procEvtRender                = modwevtapi.NewProc("EvtRender")
@@ -54,7 +76,14 @@ var (
 	procEvtOpenPublisherMetadata = modwevtapi.NewProc("EvtOpenPublisherMetadata")
 )
 
-func EvtSubscribe(session EvtHandle, signalEvent uintptr, channelPath *uint16, query *uint16, bookmark EvtHandle, context uintptr, callback syscall.Handle, flags EvtSubscribeFlag) (handle EvtHandle, err error) {
+// windowsEventAPI implements the interface using actual Windows API calls
+type windowsEventAPI struct{}
+
+func NewWindowsEventAPI() WindowsEventAPI {
+	return &windowsEventAPI{}
+}
+
+func (w *windowsEventAPI) EvtSubscribe(session EvtHandle, signalEvent uintptr, channelPath *uint16, query *uint16, bookmark EvtHandle, context uintptr, callback syscall.Handle, flags EvtSubscribeFlag) (handle EvtHandle, err error) {
 	r0, _, e1 := syscall.Syscall9(procEvtSubscribe.Addr(), 8, uintptr(session), uintptr(signalEvent), uintptr(unsafe.Pointer(channelPath)), uintptr(unsafe.Pointer(query)), uintptr(bookmark), uintptr(context), uintptr(callback), uintptr(flags), 0)
 	handle = EvtHandle(r0)
 	if handle == 0 {
@@ -67,7 +96,20 @@ func EvtSubscribe(session EvtHandle, signalEvent uintptr, channelPath *uint16, q
 	return
 }
 
-func EvtCreateBookmark(bookmarkXML *uint16) (handle EvtHandle, err error) {
+func (w *windowsEventAPI) EvtQuery(session EvtHandle, path *uint16, query *uint16, flags EvtQueryFlag) (handle EvtHandle, err error) {
+	r0, _, e1 := syscall.Syscall6(procEvtQuery.Addr(), 4, uintptr(session), uintptr(unsafe.Pointer(path)), uintptr(unsafe.Pointer(query)), uintptr(flags), 0, 0)
+	handle = EvtHandle(r0)
+	if handle == 0 {
+		if e1 != 0 {
+			err = error(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func (w *windowsEventAPI) EvtCreateBookmark(bookmarkXML *uint16) (handle EvtHandle, err error) {
 	r0, _, e1 := syscall.Syscall(procEvtCreateBookmark.Addr(), 1, uintptr(unsafe.Pointer(bookmarkXML)), 0, 0)
 	handle = EvtHandle(r0)
 	if handle == 0 {
@@ -80,7 +122,7 @@ func EvtCreateBookmark(bookmarkXML *uint16) (handle EvtHandle, err error) {
 	return
 }
 
-func EvtCreateRenderContext(ValuePathsCount uint32, valuePaths uintptr, flags EvtRenderContextFlag) (handle EvtHandle, err error) {
+func (w *windowsEventAPI) EvtCreateRenderContext(ValuePathsCount uint32, valuePaths uintptr, flags EvtRenderContextFlag) (handle EvtHandle, err error) {
 	r0, _, e1 := syscall.Syscall(procEvtCreateRenderContext.Addr(), 3, uintptr(ValuePathsCount), uintptr(valuePaths), uintptr(flags))
 	handle = EvtHandle(r0)
 	if handle == 0 {
@@ -93,7 +135,7 @@ func EvtCreateRenderContext(ValuePathsCount uint32, valuePaths uintptr, flags Ev
 	return
 }
 
-func EvtRender(context EvtHandle, fragment EvtHandle, flags EvtRenderFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32, propertyCount *uint32) (err error) {
+func (w *windowsEventAPI) EvtRender(context EvtHandle, fragment EvtHandle, flags EvtRenderFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32, propertyCount *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall9(procEvtRender.Addr(), 7, uintptr(context), uintptr(fragment), uintptr(flags), uintptr(bufferSize), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferUsed)), uintptr(unsafe.Pointer(propertyCount)), 0, 0)
 	if r1 == 0 {
 		if e1 != 0 {
@@ -105,7 +147,7 @@ func EvtRender(context EvtHandle, fragment EvtHandle, flags EvtRenderFlag, buffe
 	return
 }
 
-func EvtClose(object EvtHandle) (err error) {
+func (w *windowsEventAPI) EvtClose(object EvtHandle) (err error) {
 	r1, _, e1 := syscall.Syscall(procEvtClose.Addr(), 1, uintptr(object), 0, 0)
 	if r1 == 0 {
 		if e1 != 0 {
@@ -117,7 +159,7 @@ func EvtClose(object EvtHandle) (err error) {
 	return
 }
 
-func EvtNext(resultSet EvtHandle, eventArraySize uint32, eventArray *EvtHandle, timeout uint32, flags uint32, numReturned *uint32) (err error) {
+func (w *windowsEventAPI) EvtNext(resultSet EvtHandle, eventArraySize uint32, eventArray *EvtHandle, timeout uint32, flags uint32, numReturned *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall6(procEvtNext.Addr(), 6, uintptr(resultSet), uintptr(eventArraySize), uintptr(unsafe.Pointer(eventArray)), uintptr(timeout), uintptr(flags), uintptr(unsafe.Pointer(numReturned)))
 	if r1 == 0 {
 		if e1 != 0 {
@@ -129,7 +171,7 @@ func EvtNext(resultSet EvtHandle, eventArraySize uint32, eventArray *EvtHandle,
 	return
 }
 
-func EvtFormatMessage(publisherMetadata EvtHandle, event EvtHandle, messageID uint32, valueCount uint32, values uintptr, flags EvtFormatMessageFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32) (err error) {
+func (w *windowsEventAPI) EvtFormatMessage(publisherMetadata EvtHandle, event EvtHandle, messageID uint32, valueCount uint32, values uintptr, flags EvtFormatMessageFlag, bufferSize uint32, buffer *byte, bufferUsed *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall9(procEvtFormatMessage.Addr(), 9, uintptr(publisherMetadata), uintptr(event), uintptr(messageID), uintptr(valueCount), uintptr(values), uintptr(flags), uintptr(bufferSize), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferUsed)))
 	if r1 == 0 {
 		if e1 != 0 {
@@ -141,7 +183,7 @@ func EvtFormatMessage(publisherMetadata EvtHandle, event EvtHandle, messageID ui
 	return
 }
 
-func EvtOpenPublisherMetadata(session EvtHandle, publisherIdentity *uint16, logFilePath *uint16, locale uint32, flags uint32) (handle EvtHandle, err error) {
+func (w *windowsEventAPI) EvtOpenPublisherMetadata(session EvtHandle, publisherIdentity *uint16, logFilePath *uint16, locale uint32, flags uint32) (handle EvtHandle, err error) {
 	r0, _, e1 := syscall.Syscall6(procEvtOpenPublisherMetadata.Addr(), 5, uintptr(session), uintptr(unsafe.Pointer(publisherIdentity)), uintptr(unsafe.Pointer(logFilePath)), uintptr(locale), uintptr(flags), 0)
 	handle = EvtHandle(r0)
 	if handle == 0 {