CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(inputs.win_eventlog): Add option to define event batch-size (#15306)

This commit is contained in:
Sven Rebhan 2024-05-08 12:14:38 -04:00 committed by GitHub
parent 6206693f0c
commit 2072deb34c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/inputs/win_eventlog/README.md
View File

@ -69,6 +69,9 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
## events will be logged. ## events will be logged.
# from_beginning = false # from_beginning = false
## Number of events to fetch in one batch
# event_batch_size = 5
# Process UserData XML to fields, if this node exists in Event XML # Process UserData XML to fields, if this node exists in Event XML
# process_userdata = true # process_userdata = true
@ -148,6 +151,15 @@ XML Query documentation:
<https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events> <https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events>
## Troubleshooting
In case you see a `Collection took longer than expected` warning, there might
be a burst of events logged and the API is not able to deliver them fast enough
to complete processing within the specified interval. Tweaking the
`event_batch_size` setting might help to mitigate the issue.
The said warning does not indicate data-loss, but you should investige the
amount of events you log.
## Metrics ## Metrics
You can send any field, *System*, *Computed* or *XML* as tag field. List of You can send any field, *System*, *Computed* or *XML* as tag field. List of

3
plugins/inputs/win_eventlog/sample.conf
View File

@ -44,6 +44,9 @@
## events will be logged. ## events will be logged.
# from_beginning = false # from_beginning = false
## Number of events to fetch in one batch
# event_batch_size = 5
# Process UserData XML to fields, if this node exists in Event XML # Process UserData XML to fields, if this node exists in Event XML
# process_userdata = true # process_userdata = true

15
plugins/inputs/win_eventlog/win_eventlog.go
View File

@ -34,6 +34,7 @@ type WinEventLog struct {
EventlogName string `toml:"eventlog_name"` EventlogName string `toml:"eventlog_name"`
Query string `toml:"xpath_query"` Query string `toml:"xpath_query"`
FromBeginning bool `toml:"from_beginning"` FromBeginning bool `toml:"from_beginning"`
BatchSize uint32 `toml:"event_batch_size"`
ProcessUserData bool `toml:"process_userdata"` ProcessUserData bool `toml:"process_userdata"`
ProcessEventData bool `toml:"process_eventdata"` ProcessEventData bool `toml:"process_eventdata"`
Separator string `toml:"separator"` Separator string `toml:"separator"`
@ -57,6 +58,11 @@ func (*WinEventLog) SampleConfig() string {
} }
func (w *WinEventLog) Init() error { func (w *WinEventLog) Init() error {
// Set default for batch-size
if w.BatchSize < 1 {
w.BatchSize = 5
}
w.subscriptionFlag = EvtSubscribeToFutureEvents w.subscriptionFlag = EvtSubscribeToFutureEvents
if w.FromBeginning { if w.FromBeginning {
w.subscriptionFlag = EvtSubscribeStartAtOldestRecord w.subscriptionFlag = EvtSubscribeStartAtOldestRecord
@ -330,15 +336,10 @@ func (w *WinEventLog) evtSubscribe() (EvtHandle, error) {
} }
func (w *WinEventLog) fetchEventHandles(subsHandle EvtHandle) ([]EvtHandle, error) { func (w *WinEventLog) fetchEventHandles(subsHandle EvtHandle) ([]EvtHandle, error) {
var eventsNumber uint32
var evtReturned uint32 var evtReturned uint32
eventsNumber = 5 eventHandles := make([]EvtHandle, w.BatchSize)
if err := _EvtNext(subsHandle, w.BatchSize, &eventHandles[0], 0, 0, &evtReturned); err != nil {
eventHandles := make([]EvtHandle, eventsNumber)
err := _EvtNext(subsHandle, eventsNumber, &eventHandles[0], 0, 0, &evtReturned)
if err != nil {
if errors.Is(err, ERROR_INVALID_OPERATION) && evtReturned == 0 { if errors.Is(err, ERROR_INVALID_OPERATION) && evtReturned == 0 {
return nil, ERROR_NO_MORE_ITEMS return nil, ERROR_NO_MORE_ITEMS
} }