diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 882ef6ed30e..3273bc36983 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -23,6 +23,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Fix the ability to use filtering features (e.g. `ignore_older`, `event_id`, `provider`, `level`) while reading `.evtx` files. {issue}16826[16826] {pull}36173[36173] + *Functionbeat* ==== Bugfixes diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 77b57603cc6..2c64e60a2c5 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -279,7 +279,7 @@ func (l *winEventLog) openChannel(bookmark win.EvtHandle) error { func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.EvtHandle) error { path := l.channelName - h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection) + h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) if err != nil { return fmt.Errorf("failed to get handle to event log file %v: %w", path, err) } diff --git a/winlogbeat/eventlog/wineventlog_experimental.go b/winlogbeat/eventlog/wineventlog_experimental.go index dd80096a4b6..4c5c0ee4883 100644 --- a/winlogbeat/eventlog/wineventlog_experimental.go +++ b/winlogbeat/eventlog/wineventlog_experimental.go @@ -152,7 +152,7 @@ func (l *winEventLogExp) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { path := l.channelName - h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection) + h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) if err != nil { return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err) } @@ -187,7 +187,7 @@ func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.B } func (l *winEventLogExp) Read() ([]Record, error) { - var records []Record + var records []Record //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. for h, ok := l.iterator.Next(); ok; h, ok = l.iterator.Next() { record, err := l.processHandle(h) diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go index da67c61b3e1..694810b6b68 100644 --- a/winlogbeat/eventlog/wineventlog_test.go +++ b/winlogbeat/eventlog/wineventlog_test.go @@ -276,6 +276,7 @@ func testWindowsEventLog(t *testing.T, api string) { assert.Equal(t, totalEvents, eventCount) }) + // Test reading .evtx file without any query filters t.Run("evtx_file", func(t *testing.T) { path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx") if err != nil { @@ -301,6 +302,34 @@ func testWindowsEventLog(t *testing.T, api string) { assert.Len(t, records, 32) }) + + // Test reading .evtx file with event_id filter + t.Run("evtx_file_with_query", func(t *testing.T) { + path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx") + if err != nil { + t.Fatal(err) + } + + log := openLog(t, map[string]interface{}{ + "name": path, + "no_more_events": "stop", + "event_id": "3, 5", + }) + defer log.Close() + + records, err := log.Read() + + // This implementation returns the EOF on the next call. + if err == nil && api == winEventLogAPIName { + _, err = log.Read() + } + + if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") { + assert.Equal(t, io.EOF, err) + } + + assert.Len(t, records, 21) + }) } // ---- Utility Functions -----