feat(inputs.win_eventlog): Add option to define event batch-size (#15306)

2024-05-08 12:14:38 -04:00 · 2024-05-08 12:14:38 -04:00 · 2072deb34c
parent 6206693f0c
commit 2072deb34c
3 changed files with 23 additions and 7 deletions
--- a/plugins/inputs/win_eventlog/README.md
+++ b/plugins/inputs/win_eventlog/README.md
@ -69,6 +69,9 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
  ## events will be logged.
  # from_beginning = false

+  ## Number of events to fetch in one batch
+  # event_batch_size = 5
+
  # Process UserData XML to fields, if this node exists in Event XML
  # process_userdata = true

@ -148,6 +151,15 @@ XML Query documentation:

 <https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events>

+## Troubleshooting
+
+In case you see a `Collection took longer than expected` warning, there might
+be a burst of events logged and the API is not able to deliver them fast enough
+to complete processing within the specified interval. Tweaking the
+`event_batch_size` setting might help to mitigate the issue.
+The said warning does not indicate data-loss, but you should investige the
+amount of events you log.
+
 ## Metrics

 You can send any field, *System*, *Computed* or *XML* as tag field. List of
--- a/plugins/inputs/win_eventlog/sample.conf
+++ b/plugins/inputs/win_eventlog/sample.conf
@ -44,6 +44,9 @@
  ## events will be logged.
  # from_beginning = false

+  ## Number of events to fetch in one batch
+  # event_batch_size = 5
+
  # Process UserData XML to fields, if this node exists in Event XML
  # process_userdata = true

--- a/plugins/inputs/win_eventlog/win_eventlog.go
+++ b/plugins/inputs/win_eventlog/win_eventlog.go
@ -34,6 +34,7 @@ type WinEventLog struct {
 	EventlogName           string          `toml:"eventlog_name"`
 	Query                  string          `toml:"xpath_query"`
 	FromBeginning          bool            `toml:"from_beginning"`
+	BatchSize              uint32          `toml:"event_batch_size"`
 	ProcessUserData        bool            `toml:"process_userdata"`
 	ProcessEventData       bool            `toml:"process_eventdata"`
 	Separator              string          `toml:"separator"`
@ -57,6 +58,11 @@ func (*WinEventLog) SampleConfig() string {
 }

 func (w *WinEventLog) Init() error {
+	// Set default for batch-size
+	if w.BatchSize < 1 {
+		w.BatchSize = 5
+	}
+
 	w.subscriptionFlag = EvtSubscribeToFutureEvents
 	if w.FromBeginning {
 		w.subscriptionFlag = EvtSubscribeStartAtOldestRecord
@ -330,15 +336,10 @@ func (w *WinEventLog) evtSubscribe() (EvtHandle, error) {
 }

 func (w *WinEventLog) fetchEventHandles(subsHandle EvtHandle) ([]EvtHandle, error) {
-	var eventsNumber uint32
 	var evtReturned uint32

-	eventsNumber = 5
-
-	eventHandles := make([]EvtHandle, eventsNumber)
-
-	err := _EvtNext(subsHandle, eventsNumber, &eventHandles[0], 0, 0, &evtReturned)
-	if err != nil {
+	eventHandles := make([]EvtHandle, w.BatchSize)
+	if err := _EvtNext(subsHandle, w.BatchSize, &eventHandles[0], 0, 0, &evtReturned); err != nil {
 		if errors.Is(err, ERROR_INVALID_OPERATION) && evtReturned == 0 {
 			return nil, ERROR_NO_MORE_ITEMS
 		}