[8.10](backport #36483) winlogbeat/eventlog: ensure event loggers ret…

…ain metric collection when handling recoverable errors (#36517) * winlogbeat/eventlog: ensure event loggers retain metric collection when handling recoverable errors (#36483) When winlogbeat's event loggers encounter recoverable errors they handle this by closing and reopening the channel. This causes the metric collection for the beat and dependent winlog filebeat input to lose metric collection as metric registration only occurs on configuration. So add a soft-close method, Reset, that only closes the channel and leaves the event logger valid, leaving the metrics in tact, and use this for recovering from errors. (cherry picked from commit edc7321) * remove irrelevant changelog line --------- Co-authored-by: Dan Kortschak <[email protected]>
elastic · Sep 9, 2023 · 0d7d436 · 0d7d436
1 parent 9321058
commit 0d7d436
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 8 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -102,6 +102,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Fix panic when redact option is not provided to CEL input. {issue}36387[36387] {pull}36388[36388]
 - Remove 'onFilteredOut' and 'onDroppedOnPublish' callback logs {issue}36299[36299] {pull}36399[36399]
+- Ensure winlog input retains metric collection when handling recoverable errors. {issue}36479[36479] {pull}36483[36483]
 
 *Heartbeat*
 
@@ -136,6 +137,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Ensure event loggers retains metric collection when handling recoverable errors. {issue}36479[36479] {pull}36483[36483]
 
 *Elastic Logging Plugin*
 

diff --git a/filebeat/input/winlog/input.go b/filebeat/input/winlog/input.go
@@ -136,15 +136,15 @@ runLoop:
 			records, err := api.Read()
 			if eventlog.IsRecoverable(err) {
 				log.Errorw("Encountered recoverable error when reading from Windows Event Log", "error", err)
-				if closeErr := api.Close(); closeErr != nil {
-					log.Errorw("Error closing Windows Event Log handle", "error", closeErr)
+				if resetErr := api.Reset(); resetErr != nil {
+					log.Errorw("Error resetting Windows Event Log handle", "error", resetErr)
 				}
 				continue runLoop
 			}
 			if !api.IsFile() && eventlog.IsChannelNotFound(err) {
 				log.Errorw("Encountered channel not found error when reading from Windows Event Log", "error", err)
-				if closeErr := api.Close(); closeErr != nil {
-					log.Errorw("Error closing Windows Event Log handle", "error", closeErr)
+				if resetErr := api.Reset(); resetErr != nil {
+					log.Errorw("Error resetting Windows Event Log handle", "error", resetErr)
 				}
 				continue runLoop
 			}

diff --git a/winlogbeat/beater/eventlogger.go b/winlogbeat/beater/eventlogger.go
@@ -177,15 +177,15 @@ runLoop:
 			records, err := api.Read()
 			if eventlog.IsRecoverable(err) {
 				e.log.Warnw("Read() encountered recoverable error. Reopening handle...", "error", err, "channel", api.Channel())
-				if closeErr := api.Close(); closeErr != nil {
-					e.log.Warnw("Close() error.", "error", err)
+				if resetErr := api.Reset(); resetErr != nil {
+					e.log.Warnw("Reset() error.", "error", err)
 				}
 				continue runLoop
 			}
 			if !api.IsFile() && eventlog.IsChannelNotFound(err) {
 				e.log.Warnw("Read() encountered channel not found error for channel %q. Reopening handle...", "error", err, "channel", api.Channel())
-				if closeErr := api.Close(); closeErr != nil {
-					e.log.Warnw("Close() error.", "error", err)
+				if resetErr := api.Reset(); resetErr != nil {
+					e.log.Warnw("Reset() error.", "error", err)
 				}
 				continue runLoop
 			}

diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go
@@ -48,6 +48,11 @@ type EventLog interface {
 	// reading and close the log.
 	Read() ([]Record, error)
 
+	// Reset closes the event log channel to allow recovering from recoverable
+	// errors. Open must be successfully called after a Reset before Read may
+	// be called.
+	Reset() error
+
 	// Close the event log. It should not be re-opened after closing.
 	Close() error
 

diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go
@@ -580,6 +580,11 @@ func (l *winEventLog) createBookmarkFromEvent(evtHandle win.EvtHandle) (string,
 	return string(l.outputBuf.Bytes()), err
 }
 
+func (l *winEventLog) Reset() error {
+	debugf("%s Closing handle for reset", l.logPrefix)
+	return win.Close(l.subscription)
+}
+
 func (l *winEventLog) Close() error {
 	debugf("%s Closing handle", l.logPrefix)
 	l.metrics.close()

diff --git a/winlogbeat/eventlog/wineventlog_experimental.go b/winlogbeat/eventlog/wineventlog_experimental.go
@@ -348,9 +348,18 @@ func (l *winEventLogExp) createBookmarkFromEvent(evtHandle win.EvtHandle) (strin
 	return bookmark.XML()
 }
 
+func (l *winEventLogExp) Reset() error {
+	l.log.Debug("Closing event log reader handles for reset.")
+	return l.close()
+}
+
 func (l *winEventLogExp) Close() error {
 	l.log.Debug("Closing event log reader handles.")
 	l.metrics.close()
+	return l.close()
+}
+
+func (l *winEventLogExp) close() error {
 	if l.iterator == nil {
 		return l.renderer.Close()
 	}