in_winevtlog: adds ability to ignore channels missing in Windows Event Log (#6176)

* Additions to in_winevtlog plugin to allow scenarios where one or more channels are missing on Windows Event Log, e.g:

PowerShellCore/Operational needs the proper software installed to  appear under Application and Services Log

Signed-off-by: Meissner Morales <[email protected]>

Author: c0d3fau1t

plugins/in_winevtlog/in_winevtlog.c

@@ -68,7 +68,7 @@ static int in_winevtlog_init(struct flb_input_instance *in,
         tmp = "Application";
     }
 
-    ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events);
+    ctx->active_channel = winevtlog_open_all(tmp, ctx->read_existing_events, ctx->ignore_missing_channels);
     if (!ctx->active_channel) {
         flb_plg_error(ctx->ins, "failed to open channels");
         flb_free(ctx);
@@ -238,6 +238,11 @@ static struct flb_config_map config_map[] = {
       0, FLB_TRUE, offsetof(struct winevtlog_config, use_ansi),
       "Use ANSI encoding on eventlog messages"
     },
+    {
+      FLB_CONFIG_MAP_BOOL, "ignore_missing_channels", "false",
+      0, FLB_TRUE, offsetof(struct winevtlog_config, ignore_missing_channels),
+      "Whether to ignore channels missing in eventlog"
+    },
 
     /* EOF */
     {0}

plugins/in_winevtlog/winevtlog.c

@@ -587,7 +587,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck, struct
  *
  * "channels" are comma-separated names like "Setup,Security".
  */
-struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events)
+struct mk_list *winevtlog_open_all(const char *channels, int read_existing_events, int ignore_missing_channels)
 {
     char *tmp;
     char *channel;
@@ -612,14 +612,30 @@ struct mk_list *winevtlog_open_all(const char *channels, int read_existing_event
     channel = strtok_s(tmp , ",", &state);
     while (channel) {
         ch = winevtlog_subscribe(channel, read_existing_events, NULL);
-        if (!ch) {
-            flb_free(tmp);
-            winevtlog_close_all(list);
-            return NULL;
+        if (ignore_missing_channels) {
+            if (ch) {
+                mk_list_add(&ch->_head, list);
+            }
+            else {
+                flb_debug("[in_winevtlog] channel '%s' does not exist", channel);
+            }             
+        }
+        else {
+            if (!ch) {
+                flb_free(tmp);
+                winevtlog_close_all(list);
+                return NULL;
+            }
         }
-        mk_list_add(&ch->_head, list);
         channel = strtok_s(NULL, ",", &state);
     }
+
+    if (mk_list_size(list) == 0) {
+        flb_free(tmp);
+        winevtlog_close_all(list);
+        return NULL;
+    }
+
     flb_free(tmp);
     return list;
 }

plugins/in_winevtlog/winevtlog.h

@@ -31,6 +31,7 @@ struct winevtlog_config {
     int read_existing_events;
     int render_event_as_xml;
     int use_ansi;
+    int ignore_missing_channels;
 
     struct mk_list *active_channel;
     struct flb_sqldb *db;
@@ -80,7 +81,7 @@ int winevtlog_read(struct winevtlog_channel *ch, msgpack_packer *mp_pck,
  *
  * "channels" are comma-separated names like "Setup,Security".
  */
-struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events);
+struct mk_list *winevtlog_open_all(const char *channels, int read_exising_events, int ignore_missing_channels);
 void winevtlog_close_all(struct mk_list *list);
 
 void winevtlog_pack_xml_event(msgpack_packer *mp_pck, WCHAR *system_xml, WCHAR *message,