Skip to content

Commit

Permalink
[winlogbeat] Implement exclusion range support for event_id (#41639) (#…
Browse files Browse the repository at this point in the history
…41660)

* Implement exclusion range support for event_id

* Check excludes to build suppress

(cherry picked from commit c2584a9)

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
  • Loading branch information
mergify[bot] and marc-gr authored Nov 18, 2024
1 parent 6b97f8b commit aed4f01
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 10 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
*Winlogbeat*

- Add handling for missing `EvtVarType`s in experimental api. {issue}19337[19337] {pull}41418[41418]
- Implement exclusion range support for event_id. {issue}38623[38623] {pull}41639[41639]


*Functionbeat*
Expand Down
5 changes: 3 additions & 2 deletions winlogbeat/docs/winlogbeat-options.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -230,14 +230,15 @@ and descriptions.

A whitelist and blacklist of event IDs. The value is a comma-separated list. The
accepted values are single event IDs to include (e.g. 4624), a range of event
IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735).
IDs to include (e.g. 4700-4800), single event IDs to exclude (e.g. -4735),
and a range of event IDs to exclude (e.g. -4701-4710).
*{vista_and_newer}*

[source,yaml]
--------------------------------------------------------------------------------
winlogbeat.event_logs:
- name: Security
event_id: 4624, 4625, 4700-4800, -4735
event_id: 4624, 4625, 4700-4800, -4735, -4701-4710
--------------------------------------------------------------------------------

[WARNING]
Expand Down
21 changes: 15 additions & 6 deletions winlogbeat/sys/wineventlog/query.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ const (
query = `<QueryList>
<Query Id="0">
<Select Path="{{.Path}}">*{{if .Select}}[System[{{join .Select " and "}}]]{{end}}</Select>{{if .Suppress}}
<Suppress Path="{{.Path}}">*[System[({{join .Suppress " or "}})]]</Suppress>{{end}}
<Suppress Path="{{.Path}}">*[System[{{.Suppress}}]]</Suppress>{{end}}
</Query>
</QueryList>`
)
Expand All @@ -44,6 +44,7 @@ var (
incEventIDRegex = regexp.MustCompile(`^\d+$`)
incEventIDRangeRegex = regexp.MustCompile(`^(\d+)\s*-\s*(\d+)$`)
excEventIDRegex = regexp.MustCompile(`^-(\d+)$`)
excEventIDRangeRegex = regexp.MustCompile(`^-(\d+)\s*-\s*(\d+)$`)
)

// Query that identifies the source of the events and one or more selectors or
Expand Down Expand Up @@ -101,7 +102,7 @@ func (q Query) Build() (string, error) {
type queryParams struct {
Path string
Select []string
Suppress []string
Suppress string
}

func (qp *queryParams) ignoreOlderSelect(q Query) error {
Expand Down Expand Up @@ -140,6 +141,15 @@ func (qp *queryParams) eventIDSelect(q Query) error {
}
includes = append(includes,
fmt.Sprintf("(EventID &gt;= %d and EventID &lt;= %d)", r1, r2))
case excEventIDRangeRegex.MatchString(c):
m := excEventIDRangeRegex.FindStringSubmatch(c)
r1, _ := strconv.Atoi(m[1])
r2, _ := strconv.Atoi(m[2])
if r1 >= r2 {
return fmt.Errorf("event ID range '%s' is invalid", c)
}
excludes = append(excludes,
fmt.Sprintf("(EventID &gt;= %d and EventID &lt;= %d)", r1, r2))
default:
return fmt.Errorf("invalid event ID query component ('%s')", c)
}
Expand All @@ -150,10 +160,9 @@ func (qp *queryParams) eventIDSelect(q Query) error {
} else if len(includes) > 1 {
qp.Select = append(qp.Select, "("+strings.Join(includes, " or ")+")")
}
if len(excludes) == 1 {
qp.Suppress = append(qp.Suppress, excludes...)
} else if len(excludes) > 1 {
qp.Suppress = append(qp.Suppress, "("+strings.Join(excludes, " or ")+")")

if len(excludes) > 0 {
qp.Suppress = "(" + strings.Join(excludes, " or ") + ")"
}

return nil
Expand Down
4 changes: 2 additions & 2 deletions winlogbeat/sys/wineventlog/query_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,14 +99,14 @@ func TestCombinedQuery(t *testing.T) {
const expected = `<QueryList>
<Query Id="0">
<Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000] and (EventID=1 or (EventID &gt;= 1 and EventID &lt;= 100)) and (Level = 3)]]</Select>
<Suppress Path="Application">*[System[(EventID=75)]]</Suppress>
<Suppress Path="Application">*[System[(EventID=75 or (EventID &gt;= 97 and EventID &lt;= 99))]]</Suppress>
</Query>
</QueryList>`

q, err := Query{
Log: "Application",
IgnoreOlder: time.Hour,
EventID: "1, 1-100, -75",
EventID: "1, 1-100, -75, -97-99",
Level: "Warning",
}.Build()
if assert.NoError(t, err) {
Expand Down

0 comments on commit aed4f01

Please sign in to comment.