diff --git a/pkg/stanza/operator/input/windows/event.go b/pkg/stanza/operator/input/windows/event.go index 344eee57b905..f833fb8803fd 100644 --- a/pkg/stanza/operator/input/windows/event.go +++ b/pkg/stanza/operator/input/windows/event.go @@ -139,29 +139,6 @@ func (e *Event) Close() error { return nil } -func (e *Event) RenderRaw(buffer Buffer) (EventRaw, error) { - if e.handle == 0 { - return EventRaw{}, fmt.Errorf("event handle does not exist") - } - - bufferUsed, err := evtRender(0, e.handle, EvtRenderEventXML, buffer.SizeBytes(), buffer.FirstByte()) - if errors.Is(err, ErrorInsufficientBuffer) { - // If the bufferUsed is 0 return an error as we don't want to make a recursive call with no buffer - if *bufferUsed == 0 { - return EventRaw{}, errUnknownNextFrame - } - - buffer.UpdateSizeBytes(*bufferUsed) - return e.RenderRaw(buffer) - } - bytes, err := buffer.ReadBytes(*bufferUsed) - if err != nil { - return EventRaw{}, fmt.Errorf("failed to read bytes from buffer: %w", err) - } - - return unmarshalEventRaw(bytes) -} - // NewEvent will create a new event from an event handle. func NewEvent(handle uintptr) Event { return Event{ diff --git a/pkg/stanza/operator/input/windows/input.go b/pkg/stanza/operator/input/windows/input.go index 9fd525dcaa76..b4a9337ea073 100644 --- a/pkg/stanza/operator/input/windows/input.go +++ b/pkg/stanza/operator/input/windows/input.go @@ -232,8 +232,6 @@ func (i *Input) read(ctx context.Context) int { // processEvent will process and send an event retrieved from windows event log. func (i *Input) processEvent(ctx context.Context, event Event) { - remoteServer := i.remote.Server - var providerName string // The provider name is only retrieved if needed. if !i.raw || len(i.excludeProviders) > 0 { var err error @@ -253,13 +251,12 @@ func (i *Input) processEvent(ctx context.Context, event Event) { } if i.raw { - rawEvent, err := event.RenderRaw(i.buffer) + rawEvent, err := event.RenderSimple(i.buffer) if err != nil { i.Logger().Error("Failed to render raw event", zap.Error(err)) return } - rawEvent.RemoteServer = remoteServer i.sendEventRaw(ctx, rawEvent) return } @@ -275,7 +272,6 @@ func (i *Input) processEvent(ctx context.Context, event Event) { if publisher.Valid() { formattedEvent, err := event.RenderFormatted(i.buffer, publisher) if err == nil { - formattedEvent.RemoteServer = remoteServer i.sendEvent(ctx, formattedEvent) return } @@ -290,7 +286,6 @@ func (i *Input) processEvent(ctx context.Context, event Event) { return } - simpleEvent.RemoteServer = remoteServer i.sendEvent(ctx, simpleEvent) } @@ -309,9 +304,8 @@ func (i *Input) sendEvent(ctx context.Context, eventXML EventXML) { } // sendEventRaw will send EventRaw as an entry to the operator's output. -func (i *Input) sendEventRaw(ctx context.Context, eventRaw EventRaw) { - body := eventRaw.parseBody() - entry, err := i.NewEntry(body) +func (i *Input) sendEventRaw(ctx context.Context, eventRaw EventXML) { + entry, err := i.NewEntry(eventRaw.Original) if err != nil { i.Logger().Error("Failed to create entry", zap.Error(err)) return diff --git a/pkg/stanza/operator/input/windows/raw.go b/pkg/stanza/operator/input/windows/raw.go deleted file mode 100644 index 7a489b4b1be0..000000000000 --- a/pkg/stanza/operator/input/windows/raw.go +++ /dev/null @@ -1,78 +0,0 @@ -// Copyright The OpenTelemetry Authors -// SPDX-License-Identifier: Apache-2.0 - -package windows // import "github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/input/windows" - -import ( - "encoding/xml" - "fmt" - "time" - - "github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/entry" -) - -// EventRaw is the rendered xml of an event, however, its message is the original XML of the entire event. -type EventRaw struct { - TimeCreated TimeCreated `xml:"System>TimeCreated"` - RenderedLevel string `xml:"RenderingInfo>Level"` - Level string `xml:"System>Level"` - Body string `xml:"-"` - RemoteServer string `xml:"RemoteServer,omitempty"` -} - -// parseTimestamp will parse the timestamp of the event. -func (e *EventRaw) parseTimestamp() time.Time { - if timestamp, err := time.Parse(time.RFC3339Nano, e.TimeCreated.SystemTime); err == nil { - return timestamp - } - return time.Now() -} - -// parseRenderedSeverity will parse the severity of the event. -func (e *EventRaw) parseRenderedSeverity() entry.Severity { - switch e.RenderedLevel { - case "": - return e.parseSeverity() - case "Critical": - return entry.Fatal - case "Error": - return entry.Error - case "Warning": - return entry.Warn - case "Information": - return entry.Info - default: - return entry.Default - } -} - -// parseSeverity will parse the severity of the event when RenderingInfo is not populated -func (e *EventRaw) parseSeverity() entry.Severity { - switch e.Level { - case "1": - return entry.Fatal - case "2": - return entry.Error - case "3": - return entry.Warn - case "4": - return entry.Info - default: - return entry.Default - } -} - -// parseBody will parse a body from the event. -func (e *EventRaw) parseBody() string { - return e.Body -} - -// unmarshalEventRaw will unmarshal EventRaw from xml bytes. -func unmarshalEventRaw(bytes []byte) (EventRaw, error) { - var eventRaw EventRaw - if err := xml.Unmarshal(bytes, &eventRaw); err != nil { - return EventRaw{}, fmt.Errorf("failed to unmarshal xml bytes into event: %w (%s)", err, string(bytes)) - } - eventRaw.Body = string(bytes) - return eventRaw, nil -} diff --git a/pkg/stanza/operator/input/windows/raw_test.go b/pkg/stanza/operator/input/windows/raw_test.go deleted file mode 100644 index 10e36d9154ee..000000000000 --- a/pkg/stanza/operator/input/windows/raw_test.go +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright The OpenTelemetry Authors -// SPDX-License-Identifier: Apache-2.0 - -package windows - -import ( - "os" - "path/filepath" - "testing" - "time" - - "github.com/stretchr/testify/require" - - "github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/entry" -) - -func TestParseValidTimestampRaw(t *testing.T) { - raw := EventRaw{ - TimeCreated: TimeCreated{ - SystemTime: "2020-07-30T01:01:01.123456789Z", - }, - } - timestamp := raw.parseTimestamp() - expected, _ := time.Parse(time.RFC3339Nano, "2020-07-30T01:01:01.123456789Z") - require.Equal(t, expected, timestamp) -} - -func TestParseInvalidTimestampRaw(t *testing.T) { - raw := EventRaw{ - TimeCreated: TimeCreated{ - SystemTime: "invalid", - }, - } - timestamp := raw.parseTimestamp() - require.Equal(t, time.Now().Year(), timestamp.Year()) - require.Equal(t, time.Now().Month(), timestamp.Month()) - require.Equal(t, time.Now().Day(), timestamp.Day()) -} - -func TestParseSeverityRaw(t *testing.T) { - rawRenderedCritical := EventRaw{RenderedLevel: "Critical"} - rawRenderedError := EventRaw{RenderedLevel: "Error"} - rawRenderedWarning := EventRaw{RenderedLevel: "Warning"} - rawRenderedInformation := EventRaw{RenderedLevel: "Information"} - rawRenderedUnknown := EventRaw{RenderedLevel: "Unknown"} - rawCritical := EventRaw{Level: "1"} - rawError := EventRaw{Level: "2"} - rawWarning := EventRaw{Level: "3"} - rawInformation := EventRaw{Level: "4"} - rawUnknown := EventRaw{Level: "0"} - require.Equal(t, entry.Fatal, rawRenderedCritical.parseRenderedSeverity()) - require.Equal(t, entry.Error, rawRenderedError.parseRenderedSeverity()) - require.Equal(t, entry.Warn, rawRenderedWarning.parseRenderedSeverity()) - require.Equal(t, entry.Info, rawRenderedInformation.parseRenderedSeverity()) - require.Equal(t, entry.Default, rawRenderedUnknown.parseRenderedSeverity()) - require.Equal(t, entry.Fatal, rawCritical.parseRenderedSeverity()) - require.Equal(t, entry.Error, rawError.parseRenderedSeverity()) - require.Equal(t, entry.Warn, rawWarning.parseRenderedSeverity()) - require.Equal(t, entry.Info, rawInformation.parseRenderedSeverity()) - require.Equal(t, entry.Default, rawUnknown.parseRenderedSeverity()) -} - -func TestParseBodyRaw(t *testing.T) { - raw := EventRaw{ - Body: "foo", - } - - require.Equal(t, "foo", raw.parseBody()) -} - -func TestInvalidUnmarshalRaw(t *testing.T) { - _, err := unmarshalEventRaw([]byte("Test \n Invalid \t Unmarshal")) - require.Error(t, err) - -} - -func TestUnmarshalRaw(t *testing.T) { - data, err := os.ReadFile(filepath.Join("testdata", "xmlSample.xml")) - require.NoError(t, err) - - event, err := unmarshalEventRaw(data) - require.NoError(t, err) - - raw := EventRaw{ - TimeCreated: TimeCreated{ - SystemTime: "2022-04-22T10:20:52.3778625Z", - }, - Level: "4", - Body: string(data), - } - - require.Equal(t, raw, event) -} diff --git a/pkg/stanza/operator/input/windows/xml.go b/pkg/stanza/operator/input/windows/xml.go index dcfe4199f35c..1ef1cccfe820 100644 --- a/pkg/stanza/operator/input/windows/xml.go +++ b/pkg/stanza/operator/input/windows/xml.go @@ -13,6 +13,7 @@ import ( // EventXML is the rendered xml of an event. type EventXML struct { + Original string `xml:"-"` EventID EventID `xml:"System>EventID"` Provider Provider `xml:"System>Provider"` Computer string `xml:"System>Computer"` @@ -180,15 +181,6 @@ func parseEventData(eventData EventData) map[string]any { return outputMap } -// unmarshalEventXML will unmarshal EventXML from xml bytes. -func unmarshalEventXML(bytes []byte) (EventXML, error) { - var eventXML EventXML - if err := xml.Unmarshal(bytes, &eventXML); err != nil { - return EventXML{}, fmt.Errorf("failed to unmarshal xml bytes into event: %w (%s)", err, string(bytes)) - } - return eventXML, nil -} - // EventID is the identifier of the event. type EventID struct { Qualifiers uint16 `xml:"Qualifiers,attr"` @@ -267,3 +259,13 @@ func (e Execution) asMap() map[string]any { return result } + +// unmarshalEventXML will unmarshal EventXML from xml bytes. +func unmarshalEventXML(bytes []byte) (EventXML, error) { + var eventXML EventXML + if err := xml.Unmarshal(bytes, &eventXML); err != nil { + return EventXML{}, fmt.Errorf("failed to unmarshal xml bytes into event: %w (%s)", err, string(bytes)) + } + eventXML.Original = string(bytes) + return eventXML, nil +} diff --git a/pkg/stanza/operator/input/windows/xml_test.go b/pkg/stanza/operator/input/windows/xml_test.go index 622cc99eb053..05bb47dd49bb 100644 --- a/pkg/stanza/operator/input/windows/xml_test.go +++ b/pkg/stanza/operator/input/windows/xml_test.go @@ -479,6 +479,7 @@ func TestUnmarshalWithEventData(t *testing.T) { {Name: "Source", Value: "RulesEngine"}}, }, Keywords: []string{"0x80000000000000"}, + Original: string(data), } require.Equal(t, xml, event) @@ -516,6 +517,7 @@ func TestUnmarshalWithAnonymousEventDataEntries(t *testing.T) { Keywords: []string{"0x80000000000000"}, Security: &Security{}, Execution: &Execution{}, + Original: string(data), } require.Equal(t, xml, event) @@ -554,6 +556,7 @@ func TestUnmarshalWithUserData(t *testing.T) { ProcessID: 1472, ThreadID: 7784, }, + Original: string(data), } require.Equal(t, xml, event)