Feature/windows event id filtering

[Paamicky]

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to only collect specific and relevant logs to CloudWatch

Description of changes

• Add Event ID filtering to the CWAgent Windows logs collection

sample configuration of event ID filtering

  "logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "System",
            "event_ids": [4624, 4625, 4634],
            "log_group_name": "WindowsEventIds-Test",
            "log_stream_name": "{instance_id}"
          }
        ]
      }
    }
  }
}

Caution

This PR has a testing PR linked to here: aws/amazon-cloudwatch-agent-test#541, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

• Added unit tests for event ID validation and processing
• Manually tested on Windows to verify events are properly filtered by ID
• Verified backward compatibility with existing configurations

Requirements

Before commiting your code, please do the following steps.

1. Run make fmt and make fmt-sh
2. Run make lint

---

Integration Tests

To run integration tests against this PR, add the ready for testing label.

[dricross]

Do we know why this is being added? I don't think your changes should have affected this field.

[Paamicky]

Yes, I think I raised this earlier, I don't know why it is been added. I'm thinking it will be from a previous update to the agent from another commit.

[dricross]

Would be good to find that commit and understand why this change is necessary more concretely before we merge this in. I am especially interested in the region_type field under [[outputs.cloudwatchlogs]]

[Paamicky]

I will check that.

[Paamicky]

The log_group_class and region_type were implemented about 20 months ago by previous commits. It got added since I'm generating the TOML files for the first time.

You can find more about it here:
log_group_class

Region_type:
rurleRegion
regionType

[dricross]

this is comment is for line 100. I can't comment on it directly though since it wasn't modified.

The function should not return early anymore if the EventLevelsKey is not found since the event_levels key is no longer strictly necessary. As this function is right now, I believe it won't validate the event IDs if the event_levels key is not present. You'll need to change the event levels to act like what you have in the event ID section.

[Paamicky]

Fixed.

[dricross]

everything related to event levels needs to go inside the if statement or there will be some behavior changes:

	if eventLevels, ok := result[EventLevelsKey]; ok {
		inputEventLevels = eventLevels.([]interface{})
		resultEventLevels := []interface{}{}
		for _, eventLevel := range inputEventLevels {
			switch eventLevel.(string) {
			case "CRITICAL":
				resultEventLevels = append(resultEventLevels, "1")
			case "ERROR":
				resultEventLevels = append(resultEventLevels, "2")
			case "WARNING":
				resultEventLevels = append(resultEventLevels, "3")
			case "INFORMATION":
				resultEventLevels = append(resultEventLevels, "4", "0")
			case "VERBOSE":
				resultEventLevels = append(resultEventLevels, "5")
			default:
				translator.AddErrorMessages(GetCurPath(), fmt.Sprintf("Cannot find the mapping for Windows event level %v.", eventLevel))
			}
		}
		result[EventLevelsKey] = resultEventLevels
	}

[Paamicky]

done!

[dricross]

would be good to link to documentation or explain why these values are selected

we should also have test cases for these values and their neighbors (e.g. -1, 0, 1, 65534, 65535, 65536) to ensure they are all handled properly

[Paamicky]

Added link to documentation!

[dricross]

Based on those docs, the minimum event ID is actually 1

Category | Range | Currently in use | Comments
Microsoft Active Accessibility events (System Reserved) | 0x0001-0x00FF | 0x0001-0x0020 | EVENT_SYSTEM_* event IDs

[Paamicky]

Yes that's right, but technically the event ids ranges from 0-65535. So I thought for validation or programming purposes, it would be correct as these are the absolute min and max values that can be stored in the event ids field. They are mostly reserved for if application crashes or fails to install,,

[okankoAMZ]

What are these event ids what are they representing, can we comment that here?

[Paamicky]

They are generic event ids to show how the final sampleConfig of the Toml will look like. it serves as documentation and example config for users of the Windows event Log plugin. So I just add the event id since it is a feature now.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

I just moved them to a different file due to the windows build tags. I wanted run some test on the linux environment so it doesn't skip those tests.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

Moved to a different file due to the windows build tags.

[okankoAMZ]

why are we deleting this function can you explain in your PR description?

[Paamicky]

Moved to a different file due to the windows build tags.

[okankoAMZ]

Okay so you are moving into a different file. Please document that in your description

[Paamicky]

Alright sure

[okankoAMZ]

what is region type and what is "ACJ"?

[Paamicky]

yeah I will investigate, it got added when I generated the files, probably from a previous commit.

[Paamicky]

The region_type was implemented about 20 months ago by previous commits. It got added since I'm generating the TOML files for the first time.

You can find more about it here:

Region_type:
rurleRegion
regionType

[okankoAMZ]

shouldn't we have some kind of validation and returning error here. With the current implementation it seems like this function could never fail, is this true?

[okankoAMZ]

With this change now, we keep going when the eventLevel is missing. Is this intentional?

[Paamicky]

if the eventLevel is missing it will proceed to check the for eventids, actually this still sets eventlevels to an empty slice of string instead of nil, I will fix this.

[Paamicky]

done!

[dricross]

Based on those docs, the minimum event ID is actually 1

Category | Range | Currently in use | Comments
Microsoft Active Accessibility events (System Reserved) | 0x0001-0x00FF | 0x0001-0x0020 | EVENT_SYSTEM_* event IDs

[dricross]

nit: formatting

[dricross]

Interesting. There are some other integers that aren't mangled like log retention. I wonder why those work. Perhaps because they aren't in an array? We should understand why those integers don't require additional processing.

[dricross]

Would be good to find that commit and understand why this change is necessary more concretely before we merge this in. I am especially interested in the region_type field under [[outputs.cloudwatchlogs]]

[dricross]

everything related to event levels needs to go inside the if statement or there will be some behavior changes:

	if eventLevels, ok := result[EventLevelsKey]; ok {
		inputEventLevels = eventLevels.([]interface{})
		resultEventLevels := []interface{}{}
		for _, eventLevel := range inputEventLevels {
			switch eventLevel.(string) {
			case "CRITICAL":
				resultEventLevels = append(resultEventLevels, "1")
			case "ERROR":
				resultEventLevels = append(resultEventLevels, "2")
			case "WARNING":
				resultEventLevels = append(resultEventLevels, "3")
			case "INFORMATION":
				resultEventLevels = append(resultEventLevels, "4", "0")
			case "VERBOSE":
				resultEventLevels = append(resultEventLevels, "5")
			default:
				translator.AddErrorMessages(GetCurPath(), fmt.Sprintf("Cannot find the mapping for Windows event level %v.", eventLevel))
			}
		}
		result[EventLevelsKey] = resultEventLevels
	}