Add support to access remote logs

procule · March 2, 2017, 3:22am

Hi again,

Following this topic: Winlogbeat.yml should specify the "api" attribute is available

In the Winlogbeat code, "localhost" is hardcoded as the Event Log session/log:

Here for "wineventlog.go":

subscriptionHandle, err := win.Subscribe(
	**0, // Session - nil for localhost**
	signalEvent,
	"",       // Channel - empty b/c channel is in the query
	l.query,  // Query - nil means all events
	bookmark, // Bookmark - for resuming from a specific event
	win.EvtSubscribeStartAfterBookmark)
if err != nil {
	return err
    }

And here for "eventlogging.go":

func (l *eventLogging) Open(recordNumber uint64) error {
	detailf("%s Open(recordNumber=%d) calling OpenEventLog(uncServerPath=, "+
		"providerName=%s)", l.logPrefix, recordNumber, l.name)
handle, err := win.OpenEventLog("", l.name)

It should be possible to specify a remote host since both APIs support it.

I have integrated it so I could create a pull request if you are interested.

O.

steffens · March 2, 2017, 12:59pm

Did you consider opening a pull request?

andrewkroh · March 2, 2017, 6:47pm

If you open a PR I think it would be easier to discuss the changes.

Things I'm most concerned are how can we automate the testing of this and what impact does it have on the registry file. The registry keys are currently based on the log name alone, so having remote logs probably means changes to what's stored in the registry in order to have a unique key.

Error handling is another concern. Are there new errors that need to be handled for things like connection failures.

procule · March 3, 2017, 4:00am

Hi @andrewkroh,

I understand you concerns.

For the tests, I didn't try, but I guess you can specify the UNC path of the local computer in a domain.

For the registry keys, it is related to the QueryEventMessageFiles function in "winlogbeat/sys/eventlogging/eventlogging_windows.go", line 498, last function of the file.

In my case, for now, I had to comment out line 501-539. Remove the 'for' loop at 542 and hardcode "eventMessageFile" to the path of the dll.

That is a quick bypass to make things work but the registry of the remote computer is accessible. However, the EventMessageFile key in the registry is a local path like "c:\.etc\thatdll.dll.". That would need to be changed to a UNC path like "\\remote\c$\.etc\thatdll.dll". I don't konw if the Windows API takes care of that.

As for error handling, the Windows API describes them. They can be integrated.

O.

system · March 31, 2017, 3:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.