Skip to content

Commit

Permalink
[pkg/stanza] Don't get formatted msg for events without an event prov…
Browse files Browse the repository at this point in the history
…ider (#35227)

**Description:**
When the event doesn't have a Publisher we should not rely on the
behavior of `EvtFormatMessage` API, given, that in some cases it reports
error. Instead we should fallback to the non-formatted message to avoid
logging error messages on the collector. See issue #35135.

**Link to tracking Issue:**
Fix #35135

**Testing:**
Local validation of the processing of the events reported in the issue.

**Documentation:**
N/A

---------

Co-authored-by: Daniel Jaglowski <jaglows3@gmail.com>
  • Loading branch information
pjanotti and djaglowski authored Sep 18, 2024
1 parent e9c951d commit f6aa99f
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 3 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Use this changelog template to create an entry for release notes.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: bug_fix

# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
component: pkg/stanza

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Do not get formatted message for Windows events without an event provider.

# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
issues: [35135]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext: |
Attempting to get the formatted message for Windows events without an event provider can result in an error being logged. |
This change ensures that the formatted message is not retrieved for such events.
# If your change doesn't affect end users or the exported elements of any package,
# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
# Optional: The change log or logs in which this entry should be included.
# e.g. '[user]' or '[user, api]'
# Include 'user' if the change is relevant to end users.
# Include 'api' if there is a change to a library API.
# Default: '[user]'
change_logs: [user]
2 changes: 1 addition & 1 deletion pkg/stanza/operator/input/windows/publisher_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (

func TestPublisherOpenPreexisting(t *testing.T) {
publisher := Publisher{handle: 5}
err := publisher.Open("")
err := publisher.Open("provider_name_does_not_matter_for_this_test")
require.Error(t, err)
require.Contains(t, err.Error(), "publisher handle is already open")
require.True(t, publisher.Valid())
Expand Down
9 changes: 7 additions & 2 deletions pkg/stanza/operator/input/windows/publishercache.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,19 @@ func newPublisherCache() publisherCache {
}
}

func (c *publisherCache) get(provider string) (publisher Publisher, openPublisherErr error) {
func (c *publisherCache) get(provider string) (Publisher, error) {
publisher, ok := c.cache[provider]
if ok {
return publisher, nil
}

var err error
publisher = NewPublisher()
err := publisher.Open(provider)
if provider != "" {
// If the provider is empty, there is nothing to be formatted on the event
// keep the invalid publisher in the cache. See issue #35135
err = publisher.Open(provider)
}

// Always store the publisher even if there was an error opening it.
c.cache[provider] = publisher
Expand Down
16 changes: 16 additions & 0 deletions pkg/stanza/operator/input/windows/publishercache_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,22 @@ func TestGetInvalidPublisher(t *testing.T) {
require.False(t, publisher.Valid())
}

func TestEmptyPublisherNameBehavior(t *testing.T) {
publisherCache := newPublisherCache()
defer func() {
require.NoError(t, publisherCache.evictAll())
}()

publisher, openPublisherErr := publisherCache.get("")
require.NoError(t, openPublisherErr) // There should be no error for an empty provider.
require.False(t, publisher.Valid())

// Checked that the cached version works as expected.
publisher, openPublisherErr = publisherCache.get("")
require.NoError(t, openPublisherErr)
require.False(t, publisher.Valid())
}

func TestValidAndInvalidPublishers(t *testing.T) {
publisherCache := newPublisherCache()
defer func() {
Expand Down

0 comments on commit f6aa99f

Please sign in to comment.