[win32_event_log] Allow optional tagging by event_id

DataDog · Oct 29, 2015 · 97bdbdc · 97bdbdc
1 parent 8dc6607
commit 97bdbdc
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/checks.d/win32_event_log.py b/checks.d/win32_event_log.py
@@ -61,7 +61,8 @@ def check(self, instance):
         # Save any events returned to the payload as Datadog events
         for ev in events:
             log_ev = LogEvent(ev, self.agentConfig.get('api_key', ''),
-                              self.hostname, tags, notify)
+                              self.hostname, tags, notify,
+                              self.init_config.get('tag_event_id', False))
 
             # Since WQL only compares on the date and NOT the time, we have to
             # do a secondary check to make sure events are after the last
@@ -98,7 +99,7 @@ def __init__(self, ltype=None, user=None, source_name=None, log_file=None,
     def to_wql(self):
         ''' Return this query as a WQL string. '''
         wql = """
-        SELECT Message, SourceName, TimeGenerated, Type, User, InsertionStrings
+        SELECT Message, SourceName, TimeGenerated, Type, User, InsertionStrings, EventCode
         FROM Win32_NTLogEvent
         WHERE TimeGenerated >= "%s"
         """ % (self._dt_to_wmi(self.start_ts))
@@ -150,11 +151,11 @@ def _convert_event_types(self, types):
 
 
 class LogEvent(object):
-    def __init__(self, ev, api_key, hostname, tags, notify_list):
+    def __init__(self, ev, api_key, hostname, tags, notify_list, tag_event_id):
         self.event = ev
         self.api_key = api_key
         self.hostname = hostname
-        self.tags = tags
+        self.tags = self._tags(tags, ev.EventCode) if tag_event_id else tags
         self.notify_list = notify_list
         self.timestamp = self._wmi_to_ts(self.event.TimeGenerated)
 
@@ -190,6 +191,14 @@ def _wmi_to_ts(self, wmi_ts):
                       second=second, microsecond=microsecond) + tz_delta
         return int(calendar.timegm(dt.timetuple()))
 
+    def _tags(self, tags, event_code):
+        ''' Inject additional tags into the list already supplied to LogEvent.
+        '''
+        if tags is None:
+            tags = []
+        tags.append("event_id:{event_id}".format(event_id=event_code))
+        return tags
+
     def _msg_title(self, event):
         return '%s/%s' % (event.Logfile, event.SourceName)
 

diff --git a/conf.d/win32_event_log.yaml.example b/conf.d/win32_event_log.yaml.example
@@ -1,4 +1,7 @@
 init_config:
+    # The (optional) tag_event_id setting will add an event id tag to each
+    # event sent from this check. Defaults to false.
+    # tag_event_id: false
 
 instances:
   # Each Event Log instance lets you define the type of events you want to