Skip to content

Commit

Permalink
Fallback to LevelRaw if Level is not in the RenderingInfo of the XML …
Browse files Browse the repository at this point in the history 
…event (elastic#4257)

If the Level is not in the RenderingInfo section of the event, fallback on the raw level. Applies to Windows Vista and above only.

https://discuss.elastic.co/t/event-fields-missing-if-renderinginfo-is-empty/84709
  • Loading branch information
@LucasArona @andrewkroh
LucasArona authored and andrewkroh committed May 10, 2017
1 parent e6d84e1 commit c18adce
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 1 deletion.
3 changes: 2 additions & 1 deletion CHANGELOG.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v5.3.0...master[Check the HEAD diff]
*Packetbeat*

*Winlogbeat*
- Add the ability to use LevelRaw if Level isn't populated in the event XML. {pull}4257[4257]

==== Deprecated

Expand All @@ -73,7 +74,7 @@ https://github.com/elastic/beats/compare/v5.3.0...master[Check the HEAD diff]

*Winlogbeat*

==== Knwon Issue
==== Known Issue

*Affecting all Beats*

Expand Down
5 changes: 5 additions & 0 deletions winlogbeat/eventlog/wineventlog.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,11 @@ func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) (Record,
e.RenderErr = recoveredErr.Error()
}

if e.Level == "" {
// Fallback on LevelRaw if the Level is not set in the RenderingInfo.
e.Level = win.EventLevel(e.LevelRaw).String()
}

if logp.IsDebug(detailSelector) {
detailf("%s XML=%s Event=%+v", l.logPrefix, string(x), e)
}
Expand Down
29 changes: 29 additions & 0 deletions winlogbeat/sys/wineventlog/syscall_windows.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,35 @@ func (e EvtSystemPropertyID) String() string {
return s
}

// EventLevel identifies the six levels of events that can be logged
type EventLevel uint16

// EventLevel values.
const (
// Do not reorder.
EVENTLOG_LOGALWAYS_LEVEL EventLevel = iota
EVENTLOG_CRITICAL_LEVEL
EVENTLOG_ERROR_LEVEL
EVENTLOG_WARNING_LEVEL
EVENTLOG_INFORMATION_LEVEL
EVENTLOG_VERBOSE_LEVEL
)

// Mapping of event levels to their string representations.
var EventLevelToString = map[EventLevel]string{
EVENTLOG_LOGALWAYS_LEVEL: "Information",
EVENTLOG_INFORMATION_LEVEL: "Information",
EVENTLOG_CRITICAL_LEVEL: "Critical",
EVENTLOG_ERROR_LEVEL: "Error",
EVENTLOG_WARNING_LEVEL: "Warning",
EVENTLOG_VERBOSE_LEVEL: "Verbose",
}

// String returns string representation of EventLevel.
func (et EventLevel) String() string {
return EventLevelToString[et]
}

// Add -trace to enable debug prints around syscalls.
//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go syscall_windows.go

Expand Down

0 comments on commit c18adce

Please sign in to comment.