Adds new Eventlog data provider

LordHepipud · LordHepipud · commit f77bb86dac11 · 2024-02-14T11:17:13.000+01:00
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -14,6 +14,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 ### Enhancements
 
 * [#679](https://github.com/Icinga/icinga-powershell-framework/pull/679) Adds a new data provider for fetching process information of Windows systems, while sorting all objects based on a process name and their process id
+* [#682](https://github.com/Icinga/icinga-powershell-framework/pull/682) Adds new data provider for fetching Eventlog information to increase performance and reduce memory impact
 
 ## 1.11.2 (tbd)
 
diff --git a/lib/provider/core/Get-IcingaProviderFilterData.psm1 b/lib/provider/core/Get-IcingaProviderFilterData.psm1
@@ -0,0 +1,24 @@
+function Get-IcingaProviderFilterData()
+{
+    param (
+        [string]$ProviderName      = '',
+        [hashtable]$ProviderFilter = @()
+    );
+
+    [hashtable]$FilterResult = @{ };
+
+    foreach ($filterObject in $ProviderFilter.Keys) {
+        if ($filterObject.ToLower() -ne $ProviderName.ToLower()) {
+            continue;
+        }
+
+        if ($FilterResult.ContainsKey($filterObject) -eq $FALSE) {
+            $FilterResult.Add(
+                $filterObject,
+                (New-IcingaProviderFilterObject -ProviderName $ProviderName -HashtableFilter $ProviderFilter[$filterObject])
+            );
+        }
+    }
+
+    return $FilterResult;
+}
diff --git a/lib/provider/core/New-IcingaProviderFilterObject.psm1 b/lib/provider/core/New-IcingaProviderFilterObject.psm1
@@ -0,0 +1,39 @@
+function New-IcingaProviderFilterObject()
+{
+    param (
+        [string]$ProviderName       = '',
+        [hashtable]$HashtableFilter = @{ }
+    );
+
+    if ([string]::IsNullOrEmpty($ProviderName)) {
+        return @{ };
+    }
+
+    [array]$ProviderFilterCmdlet = Get-Command ([string]::Format('New-IcingaProviderFilterData{0}', $ProviderName)) -ErrorAction SilentlyContinue;
+
+    if ($null -eq $ProviderFilterCmdlet -Or $ProviderFilterCmdlet.Count -eq 0) {
+        return @{ };
+    }
+
+    if ((Test-IcingaForWindowsCmdletLoader -Path $ProviderFilterCmdlet[0].Module.ModuleBase) -eq $FALSE) {
+        return @{ };
+    }
+
+    $FilterResult = & $ProviderFilterCmdlet[0].Name @HashtableFilter;
+
+    [string]$ObjectName = $ProviderName;
+    $CmdHelp            = Get-Help ($ProviderFilterCmdlet[0].Name) -ErrorAction SilentlyContinue;
+
+    if ($null -ne $CmdHelp) {
+        if ([string]::IsNullOrEmpty($CmdHelp.Role) -eq $FALSE) {
+            [string]$ObjectName = [string]($CmdHelp.Role);
+        }
+    }
+
+    $CmdHelp              = $null;
+    $ProviderFilterCmdlet = $null;
+
+    return @{
+        $ObjectName = $FilterResult;
+    };
+}
diff --git a/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1 b/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1
@@ -0,0 +1,28 @@
+function Add-IcingaProviderEventlogFilterData()
+{
+    param(
+        [string]$EventFilter = '',
+        $StringBuilderObject = $null
+    );
+
+    if ($null -eq $StringBuilderObject -Or $StringBuilderObject.Length -eq 0) {
+        return $EventFilter;
+    }
+
+    [string]$NewStringEntry = $StringBuilderObject.ToString();
+
+    $StringBuilderObject.Clear();
+    $StringBuilderObject = $null;
+
+    if ([string]::IsNullOrEmpty($NewStringEntry)) {
+        return $EventFilter;
+    }
+
+    if ([string]::IsNullOrEmpty($EventFilter)) {
+        return $NewStringEntry;
+    }
+
+    [string]$EventFilter = [string]::Format('{0} and {1}', $EventFilter, $NewStringEntry);
+
+    return $EventFilter;
+}
diff --git a/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1 b/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1
@@ -0,0 +1,20 @@
+function Get-IcingaProviderDataValuesEventlog()
+{
+    param (
+        [array]$IncludeFilter      = @(),
+        [array]$ExcludeFilter      = @(),
+        [hashtable]$ProviderFilter = @(),
+        [switch]$IncludeDetails    = $FALSE
+    );
+
+    $EventlogData            = New-IcingaProviderObject -Name 'Eventlog';
+    [hashtable]$FilterObject = Get-IcingaProviderFilterData -ProviderName 'Eventlog' -ProviderFilter $ProviderFilter;
+
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'List'      -Value $FilterObject.EventLog.Query.List;
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'Events'    -Value $FilterObject.EventLog.Query.Events;
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FilterObject.EventLog.Query.HasEvents;
+
+    $FilterObject = $null;
+
+    return $EventlogData;
+}
diff --git a/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1 b/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1
@@ -0,0 +1,258 @@
+<#
+.ROLE
+    Query
+#>
+
+function New-IcingaProviderFilterDataEventlog()
+{
+    param(
+        [string]$LogName          = '',
+        [array]$IncludeEventId    = @(),
+        [array]$ExcludeEventId    = @(),
+        [array]$IncludeUsername   = @(),
+        [array]$ExcludeUsername   = @(),
+        [array]$IncludeEntryType  = @(),
+        [array]$ExcludeEntryType  = @(),
+        [array]$IncludeMessage    = @(),
+        [array]$ExcludeMessage    = @(),
+        [array]$IncludeSource     = @(),
+        [array]$ExcludeSource     = @(),
+        [string]$EventsAfter      = $null,
+        [string]$EventsBefore     = $null,
+        [int]$MaxEntries          = 40000,
+        [switch]$DisableTimeCache = $FALSE
+    );
+
+    [string]$EventLogFilter = '';
+    $EventIdFilter          = New-Object -TypeName 'System.Text.StringBuilder';
+    $EntryTypeFilter        = New-Object -TypeName 'System.Text.StringBuilder';
+    $SourceFilter           = New-Object -TypeName 'System.Text.StringBuilder';
+    $UserFilter             = New-Object -TypeName 'System.Text.StringBuilder';
+    $TimeFilter             = New-Object -TypeName 'System.Text.StringBuilder';
+    $EventAfterFilter       = $null;
+    $EventBeforeFilter      = $null;
+    $EventsAfter            = (Convert-IcingaPluginThresholds -Threshold $EventsAfter).Value;
+    $EventsBefore           = (Convert-IcingaPluginThresholds -Threshold $EventsBefore).Value;
+    [string]$CheckHash      = (Get-StringSha1 ($LogName + $IncludeEventId + $ExcludeEventId + $IncludeUsername + $ExcludeUsername + $IncludeEntryType + $ExcludeEntryType + $IncludeMessage + $ExcludeMessage)) + '.lastcheck';
+
+    if ([string]::IsNullOrEmpty($EventsAfter) -and $DisableTimeCache -eq $FALSE) {
+        $time = Get-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash;
+        Set-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash -Value ((Get-Date).ToFileTime());
+
+        if ($null -ne $time) {
+            $EventAfterFilter = ([datetime]::FromFileTime($time)).ToString("yyyy-MM-dd HH:mm:ss");
+        }
+    }
+
+    # In case we are not having cached time execution and not have not overwritten the timestamp, only fetch values from 2 hours in the past
+    if ([string]::IsNullOrEmpty($EventAfterFilter)) {
+        if ([string]::IsNullOrEmpty($EventsAfter)) {
+            [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromHours(2))).ToString("yyyy-MM-dd HH:mm:ss");
+        } else {
+            if ((Test-Numeric $EventsAfter)) {
+                [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsAfter))).ToString('yyyy\/MM\/dd HH:mm:ss');
+            } else {
+                [string]$EventAfterFilter = $EventsAfter;
+            }
+        }
+    }
+
+    if ([string]::IsNullOrEmpty($EventsBefore) -eq $FALSE) {
+        if ((Test-Numeric $EventsBefore)) {
+            [string]$EventBeforeFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsBefore))).ToString("yyyy-MM-dd HH:mm:ss");
+        } else {
+            [string]$EventBeforeFilter = $EventsBefore;
+        }
+    } else {
+        [string]$EventBeforeFilter = ([datetime]::FromFileTime(((Get-Date).ToFileTime()))).ToString("yyyy-MM-dd HH:mm:ss");
+    }
+
+    foreach ($entry in $IncludeEventId) {
+        if ($EventIdFilter.Length -ne 0) {
+            $EventIdFilter.Append(
+                ([string]::Format(' and EventID={0}', $entry))
+            ) | Out-Null;
+        } else {
+            $EventIdFilter.Append(
+                ([string]::Format('EventID={0}', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeEventId) {
+        if ($EventIdFilter.Length -ne 0) {
+            $EventIdFilter.Append(
+                ([string]::Format(' and EventID!={0}', $entry))
+            ) | Out-Null;
+        } else {
+            $EventIdFilter.Append(
+                ([string]::Format('EventID!={0}', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeEntryType) {
+        [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry];
+        if ($EntryTypeFilter.Length -ne 0) {
+            $EntryTypeFilter.Append(
+                ([string]::Format(' and Level={0}', $EntryId))
+            ) | Out-Null;
+        } else {
+            $EntryTypeFilter.Append(
+                ([string]::Format('Level={0}', $EntryId))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeEntryType) {
+        [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry];
+        if ($EntryTypeFilter.Length -ne 0) {
+            $EntryTypeFilter.Append(
+                ([string]::Format(' and Level!={0}', $EntryId))
+            ) | Out-Null;
+        } else {
+            $EntryTypeFilter.Append(
+                ([string]::Format('Level!={0}', $EntryId))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeSource) {
+        if ($SourceFilter.Length -ne 0) {
+            $SourceFilter.Append(
+                ([string]::Format(' and Provider[@Name="{0}"]', $entry))
+            ) | Out-Null;
+        } else {
+            $SourceFilter.Append(
+                ([string]::Format('Provider[@Name="{0}"]', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeSource) {
+        if ($SourceFilter.Length -ne 0) {
+            $SourceFilter.Append(
+                ([string]::Format(' and Provider[@Name!="{0}"]', $entry))
+            ) | Out-Null;
+        } else {
+            $SourceFilter.Append(
+                ([string]::Format('Provider[@Name!="{0}"]', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeUsername) {
+        [string]$UserSID = (Get-IcingaUserSID -User $entry);
+        if ($UserFilter.Length -ne 0) {
+            $UserFilter.Append(
+                ([string]::Format(' and Security[@UserID="{0}', $UserSID))
+            ) | Out-Null;
+        } else {
+            $UserFilter.Append(
+                ([string]::Format('Security[@UserID="{0}"]', $UserSID))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeUsername) {
+        [string]$UserSID = (Get-IcingaUserSID -User $entry);
+        if ($UserFilter.Length -ne 0) {
+            $UserFilter.Append(
+                ([string]::Format(' and Security[@UserID!="{0}"]', $UserSID))
+            ) | Out-Null;
+        } else {
+            $UserFilter.Append(
+                ([string]::Format('Security[@UserID!="{0}"]', $UserSID))
+            ) | Out-Null;
+        }
+    }
+
+    $TimeFilter.Append(
+        ([string]::Format('TimeCreated[@SystemTime>="{0}"]', (Get-Date $EventAfterFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ")))
+    ) | Out-Null;
+
+    $TimeFilter.Append(
+        ([string]::Format(' and TimeCreated[@SystemTime<="{0}"]', (Get-Date $EventBeforeFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ")))
+    ) | Out-Null;
+
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EventIdFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EntryTypeFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $SourceFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $UserFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $TimeFilter;
+
+    while ($EventLogFilter[0] -eq ' ') {
+        $EventLogFilter = $EventLogFilter.Substring(1, $EventLogFilter.Length - 1);
+    }
+
+    [string]$EventLogFilter = [string]::Format('Event[System[{0}]]', $EventLogFilter);
+
+    try {
+        $EventLogEntries = Get-WinEvent -LogName $LogName -MaxEvents $MaxEntries -FilterXPath $EventLogFilter -ErrorAction Stop;
+    } catch {
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'ParameterArgumentValidationError' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNegativeEntries;
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'CannotConvertArgumentNoMessage' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNoMessageEntries;
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'NoMatchingLogsFound' -CustomMessage (-Join $LogName) -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogLogName;
+    }
+
+    $EventLogQueryData = New-Object PSCustomObject;
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'List'      -Value (New-Object PSCustomObject);
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'Events'    -Value (New-Object PSCustomObject);
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FALSE;
+
+    foreach ($event in $EventLogEntries) {
+        # Filter out remaining message not matching our filter
+        if ((Test-IcingaArrayFilter -InputObject $event.Message -Include $IncludeMessage -Exclude $ExcludeMessage) -eq $FALSE) {
+            continue;
+        }
+
+        $EventLogQueryData.HasEvents = $TRUE;
+
+        [string]$EventIdentifier = [string]::Format('{0}-{1}',
+            $event.Id,
+            $event.ProviderName
+        );
+
+        [string]$EventHash = Get-StringSha1 $EventIdentifier;
+
+        if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.List -Name $EventHash) -eq $FALSE) {
+            [string]$EventMessage = [string]($event.Message);
+            if ([string]::IsNullOrEmpty($EventMessage)) {
+                $EventMessage = '';
+            }
+
+            $EventLogQueryData.List            | Add-Member -MemberType NoteProperty -Name $EventHash    -Value (New-Object PSCustomObject);
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'NewestEntry' -Value ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'OldestEntry' -Value ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'EventId'     -Value ([string]($event.Id));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Message'     -Value $EventMessage;
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Severity'    -Value $ProviderEnums.EventLogSeverityName[$event.Level];
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Source'      -Value ([string]($event.ProviderName));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Count'       -Value 1;
+
+        } else {
+            $EventLogQueryData.List.$EventHash.OldestEntry  = ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash.Count       += 1;
+        }
+
+        if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.Events -Name $event.Id) -eq $FALSE) {
+            $EventLogQueryData.Events | Add-Member -MemberType NoteProperty -Name $event.Id -Value 1;
+        } else {
+            $EventLogQueryData.Events.($event.Id) += 1;
+        }
+    }
+
+    if ($null -ne $EventLogEntries) {
+        $EventLogEntries.Dispose();
+    }
+
+    $EventLogEntries = $null;
+    $EventLogFilter  = $null;
+    $EventIdFilter   = $null;
+    $EntryTypeFilter = $null;
+    $SourceFilter    = $null;
+    $UserFilter      = $null;
+    $TimeFilter      = $null;
+
+    return $EventLogQueryData;
+}
