Add support for event language selection from config file (#19818)

* Add support for event language selection from config file * fix - set default value of the EventLanguage variable in the winlogbeat/eventlog/eventlogging.go file * fix mistakes made during upstream merge * move entry in changelog to the end of the section and add reference to pull request id * Add default value and docs * Make suggested changes Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit 2f880d2)
elastic · Sep 22, 2021 · a88af78 · a88af78
1 parent dcdc9bf
commit a88af78
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -515,6 +515,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327]
 - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517]
 - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058]
+- Add support for event language selection from config file {pull}19818[19818]
 
 *Elastic Log Driver*
 

diff --git a/winlogbeat/docs/modules.asciidoc b/winlogbeat/docs/modules.asciidoc
@@ -22,6 +22,9 @@ a `script` processor to your configuration file and point it at the included
 script file for the module. The documentation for each module includes an
 example.
 
+NOTE: The provided modules only support events in English. For more information
+about how to configure the language in `winlogbeat`, refer to <<configuration-winlogbeat-options>>.
+
 [float]
 === Usage with Forwarded Events
 
@@ -34,6 +37,7 @@ script processors that are guarded by a conditional `when` statement.
 winlogbeat.event_logs:
 - name: ForwardedEvents
   tags: [forwarded]
+  language: 0x0409 # en-US
   processors:
     - script:
         when.equals.winlog.channel: Security

diff --git a/winlogbeat/docs/winlogbeat-options.asciidoc b/winlogbeat/docs/winlogbeat-options.asciidoc
@@ -232,6 +232,21 @@ winlogbeat.event_logs:
 
 =======================================
 
+[float]
+==== `event_logs.language`
+
+The language ID the events will be rendered in. The language will be forced regardless
+of the system language. A complete list of language IDs can be found
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here].
+It defaults to `0`, which indicates to use the system language.
+
+[source,yaml]
+--------------------------------------------------------------------------------
+winlogbeat.event_logs:
+  - name: Security
+    event_id: 4624, 4625, 4700-4800, -4735
+    language: 0x0409 # en-US
+--------------------------------------------------------------------------------
 
 [float]
 ==== `event_logs.level`

diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go
@@ -60,6 +60,7 @@ type winEventLogConfig struct {
 	Forwarded     *bool              `config:"forwarded"`
 	SimpleQuery   query              `config:",inline"`
 	NoMoreEvents  NoMoreEventsAction `config:"no_more_events"` // Action to take when no more events are available - wait or stop.
+	EventLanguage uint32             `config:"language"`
 }
 
 // NoMoreEventsAction defines what action for the reader to take when
@@ -390,7 +391,7 @@ func newWinEventLog(options *common.Config) (EventLog, error) {
 
 	eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles {
 		mf := sys.MessageFiles{SourceName: sourceName}
-		h, err := win.OpenPublisherMetadata(0, sourceName, 0)
+		h, err := win.OpenPublisherMetadata(0, sourceName, c.EventLanguage)
 		if err != nil {
 			mf.Err = err
 			return mf
@@ -431,7 +432,7 @@ func newWinEventLog(options *common.Config) (EventLog, error) {
 		}
 	default:
 		l.render = func(event win.EvtHandle, out io.Writer) error {
-			return win.RenderEvent(event, 0, l.renderBuf, l.cache.get, out)
+			return win.RenderEvent(event, c.EventLanguage, l.renderBuf, l.cache.get, out)
 		}
 	}
 

diff --git a/winlogbeat/sys/wineventlog/wineventlog_windows.go b/winlogbeat/sys/wineventlog/wineventlog_windows.go
@@ -384,7 +384,7 @@ func FormatEventString(
 	// Open a publisher handle if one was not provided.
 	ph := publisherHandle
 	if ph == 0 {
-		ph, err := OpenPublisherMetadata(0, publisher, 0)
+		ph, err := OpenPublisherMetadata(0, publisher, lang)
 		if err != nil {
 			return err
 		}