SumoLogic · andrzej-stencel · May 11, 2022 · May 4, 2022 · May 4, 2022 · May 4, 2022
@@ -4,6 +4,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 This CHANGELOG (now) follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
 
+## Unreleased
+### Added
+- feat: add JSON support to windows sources [#193]
+
+[#193]: https://github.com/SumoLogic/sumologic-collector-chef-cookbook/pull/193
+
 ## [1.6.2] - 2022-01-05
 ### Added
 - added `fields` support to sources (@majormoses) [#189]

@@ -381,6 +381,10 @@ The following attribute parameters are in addition to the generic parameters
 listed above.
 
 - `log_names` - **required**
+- `event_format` - `:legacy` for legacy format or `:json` for JSON format
+- `event_message` - Use with JSON format. `:complete`, `:message` (recommended), or `:metadata` for metadata only.
+- `allowlist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs.
+- `denylist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs.
 
 ### Examples
 
@@ -391,6 +395,19 @@ sumo_source_local_windows_event_log 'local_win_event_log' do
 end
 ```
 
+Use JSON log format instead of legacy format:
+
+```ruby
+sumo_source_local_windows_event_log 'local_win_event_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  log_names ['security', 'application']
+  event_format :json
+  event_message :message
+  allowlist ""
+  denylist ""
+end
+```
+
 sumo_source_remote_file
 ---------
 
@@ -445,7 +462,7 @@ sumo_source_remote_windows_event_log
 See the [Sumo Logic documentation](https://help.sumologic.com/Send_Data/Sources/Use_JSON_to_Configure_Sources)
 for more information about these attributes.
 
-The following attribute parameters are in addition to the generic parameters
+The following attribute parameters are in addition to the generic and [sumo_source_local_windows_event_log](#sumosourcelocalwindowseventlog) parameters
 listed above.
 
 - `domain` - **required**
@@ -467,6 +484,24 @@ sumo_source_remote_windows_event_log 'remote_win_event_log' do
 end
 ```
 
+Use JSON log format instead of legacy format:
+
+```ruby
+sumo_source_remote_windows_event_log 'remote_win_event_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  domain 'mydomain'
+  username 'user'
+  password 'password'
+  hosts ['myremotehost1']
+  log_names ['security', 'application']
+  event_format :json
+  event_message :message
+  allowlist ""
+  denylist ""
+
+end
+```
+
 sumo_source_script
 ---------
 

@@ -12,7 +12,7 @@ Vagrant.configure('2') do |config|
   config.disksize.size = '50GB'
   config.vm.box_check_update = false
   config.vm.host_name = 'sumologic-collector-chef-cookbook'
-  config.vm.network :private_network, ip: "192.168.78.46"
+  config.vm.network :private_network, ip: "192.168.56.46"
 
   config.vm.provider 'virtualbox' do |vb|
     vb.gui = false

@@ -2,6 +2,7 @@
 
 require 'chef/provider/lwrp_base'
 require_relative 'provider_source'
+require_relative 'types'
 
 class Chef
   class Provider
@@ -11,6 +12,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Provider::SumoSource
       def config_hash
         hash = super
         hash['source']['logNames'] = new_resource.log_names
+        hash['source']['eventFormat'] = EVENT_FORMAT[new_resource.event_format]
+        hash['source']['eventMessage'] = EVENT_MESSAGE[new_resource.event_message]
+        hash['source']['allowlist'] = new_resource.allowlist
+        hash['source']['denylist'] = new_resource.denylist
         hash
       end
     end

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 require 'chef/provider/lwrp_base'
-require_relative 'provider_source'
+require_relative 'provider_local_win_event_log_source'
 
 class Chef
   class Provider
-    class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSource
+    class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSourceLocalWindowsEventLog
       provides :sumo_source_remote_windows_event_log if respond_to?(:provides)
 
       def config_hash
@@ -14,7 +14,6 @@ def config_hash
         hash['source']['username'] = new_resource.username
         hash['source']['password'] = new_resource.password
         hash['source']['hosts'] = new_resource.hosts
-        hash['source']['logNames'] = new_resource.log_names
         hash
       end
     end

@@ -2,6 +2,7 @@
 
 require 'chef/resource/lwrp_base'
 require_relative 'resource_source'
+require_relative 'types'
 
 class Chef
   class Resource
@@ -10,6 +11,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Resource::SumoSource
 
       attribute :source_type, kind_of: Symbol, default: :local_windows_event_log, equal_to: [:local_windows_event_log]
       attribute :log_names, kind_of: Array, required: true
+      attribute :event_format, kind_of: Symbol, default: :json, equal_to: EVENT_FORMAT.keys
+      attribute :event_message, kind_of: Symbol, default: :message, equal_to: EVENT_MESSAGE.keys
+      attribute :allowlist, kind_of: String
+      attribute :denylist, kind_of: String
     end
   end
 end
@@ -1,19 +1,18 @@
 # frozen_string_literal: true
 
 require 'chef/resource/lwrp_base'
-require_relative 'resource_source'
+require_relative 'resource_local_win_event_log_source'
 
 class Chef
   class Resource
-    class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSource
+    class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSourceLocalWindowsEventLog
       provides :sumo_source_remote_windows_event_log if respond_to?(:provides)
 
       attribute :source_type, kind_of: Symbol, default: :remote_windows_event_log, equal_to: [:remote_windows_event_log]
       attribute :domain, kind_of: String, required: true
       attribute :username, kind_of: String, required: true
       attribute :password, kind_of: String, required: true
       attribute :hosts, kind_of: Array, required: true
-      attribute :log_names, kind_of: Array, required: true
     end
   end
 end
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+EVENT_FORMAT = {
+  nil => nil,
+  :legacy => 0,
+  :json => 1
+}.freeze
+
+EVENT_MESSAGE = {
+  nil => nil,
+  :complete => 0,
+  :message => 1,
+  :metadata => 2
+}.freeze
diff --git a/test/fixtures/cookbooks/source-resource/recipes/local_win_event_json_log_create.rb b/test/fixtures/cookbooks/source-resource/recipes/local_win_event_json_log_create.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+sumo_source_local_windows_event_log 'local_win_event_json_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  log_names %w[security application]
+
+  event_format :legacy
+  event_message :message
+  allowlist "el1,el2"
+  denylist "el3,el4"
+end
diff --git a/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_json_log_create.rb b/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_json_log_create.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+sumo_source_remote_windows_event_log 'remote_win_event_json_log' do
+  source_json_directory node['sumologic']['sumo_json_path']
+  domain 'mydomain'
+  username 'user'
+  password 'password'
+  hosts ['myremotehost1']
+  log_names %w[security application]
+
+  event_format :legacy
+  event_message :message
+  allowlist "el1,el2"
+  denylist "el3,el4"
+end
diff --git a/test/integration/source-resource/serverspec/local_win_event_json_log_create_spec.rb b/test/integration/source-resource/serverspec/local_win_event_json_log_create_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe file('/etc/sumo.json/local_win_event_json_log.json') do
+  it { is_expected.to exist }
+
+  its(:content) { is_expected.to match(/"eventFormat": 0/) }
+  its(:content) { is_expected.to match(/"eventMessage": 1/) }
+  its(:content) { is_expected.to match(/"allowlist": "el1,el2"/) }
+  its(:content) { is_expected.to match(/"denylist": "el3,el4"/) }
+end
@@ -4,4 +4,9 @@
 
 describe file('/etc/sumo.json/local_win_event_log.json') do
   it { is_expected.to exist }
+
+  its(:content) { is_expected.not_to match(/"eventFormat":/) }
+  its(:content) { is_expected.not_to match(/"eventMessage":/) }
+  its(:content) { is_expected.not_to match(/"allowlist":/) }
+  its(:content) { is_expected.not_to match(/"denylist":/) }
 end
diff --git a/test/integration/source-resource/serverspec/remote_win_event_json_log_create_spec.rb b/test/integration/source-resource/serverspec/remote_win_event_json_log_create_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe file('/etc/sumo.json/remote_win_event_json_log.json') do
+  it { is_expected.to exist }
+
+  its(:content) { is_expected.to match(/"eventFormat": 0/) }
+  its(:content) { is_expected.to match(/"eventMessage": 1/) }
+  its(:content) { is_expected.to match(/"allowlist": "el1,el2"/) }
+  its(:content) { is_expected.to match(/"denylist": "el3,el4"/) }
+end
@@ -4,4 +4,9 @@
 
 describe file('/etc/sumo.json/remote_win_event_log.json') do
   it { is_expected.to exist }
+
+  its(:content) { is_expected.not_to match(/"eventFormat":/) }
+  its(:content) { is_expected.not_to match(/"eventMessage":/) }
+  its(:content) { is_expected.not_to match(/"allowlist":/) }
+  its(:content) { is_expected.not_to match(/"denylist":/) }
 end