Skip to content

Commit

Permalink
in_winevtlog: Recreate subscription if failed result is from signal e…
Browse files Browse the repository at this point in the history
…vent

Signed-off-by: Hiroshi Hatake <[email protected]>
  • Loading branch information
cosmo0920 committed Mar 5, 2024
1 parent 271fcc3 commit 0bd350d
Showing 1 changed file with 63 additions and 4 deletions.
67 changes: 63 additions & 4 deletions plugins/in_winevtlog/winevtlog.c
Original file line number Diff line number Diff line change
Expand Up @@ -485,7 +485,65 @@ int get_string_inserts(EVT_HANDLE handle, PEVT_VARIANT *string_inserts_values,
return succeeded;
}

static int winevtlog_next(struct winevtlog_channel *ch, int hit_threshold)
static int winevtlog_recreate_subscription(struct winevtlog_channel *ch,
struct winevtlog_config *ctx)
{
struct winevtlog_channel *re_ch;
PWSTR wide_bookmark_xml = NULL;
EVT_HANDLE bookmark = NULL;
DWORD retry = 0;
DWORD retry_limit = 8;
int used_size = 0;

retry:
if (retry > 8) {
flb_error("subscription is not recreated. limit reached.");
return FLB_FALSE;
}
flb_warn("subscription is invalid. Recreating. left attempt(s) = %d",
retry_limit - retry);
wide_bookmark_xml = render_event(ch->bookmark, EvtRenderBookmark, &used_size);
if (wide_bookmark_xml == NULL) {
flb_error("failed to render bookmark with %d", GetLastError());

return FLB_FALSE;
}
bookmark = EvtCreateBookmark(wide_bookmark_xml);
if (bookmark == NULL) {
flb_error("failed to create bookmark handle with %d",
GetLastError());

flb_free(wide_bookmark_xml);
retry++;
flb_time_msleep(retry * 1000); /* wait for retry * 1sec */

goto retry;
}

re_ch = winevtlog_subscribe(ch->name, ctx->read_existing_events,
bookmark, ch->query);
if (re_ch == NULL) {
flb_warn("[in_winevtlog] cannot subscribe '%s' (%i)", ch->name, GetLastError());
flb_free(wide_bookmark_xml);
retry++;
flb_time_msleep(retry * 1000); /* wait for retry * 1sec */

goto retry;
}

close_handles(ch);

ch->bookmark = re_ch->bookmark;
ch->subscription = re_ch->subscription;
ch->signal_event = re_ch->signal_event;

flb_free(wide_bookmark_xml);

return FLB_TRUE;
}

static int winevtlog_next(struct winevtlog_channel *ch,
struct winevtlog_config *ctx, int hit_threshold)
{
EVT_HANDLE events[SUBSCRIBE_ARRAY_SIZE];
DWORD count = 0;
Expand All @@ -506,8 +564,9 @@ static int winevtlog_next(struct winevtlog_channel *ch, int hit_threshold)

wait = WaitForSingleObject(ch->signal_event, 0);
if (wait == WAIT_FAILED) {
flb_error("subscription is invalid");
return FLB_FALSE;
if (!winevtlog_recreate_subscription(ch, ctx)) {
return FLB_FALSE;
}
}
else if (wait != WAIT_OBJECT_0) {
return FLB_FALSE;
Expand Down Expand Up @@ -560,7 +619,7 @@ int winevtlog_read(struct winevtlog_channel *ch, struct winevtlog_config *ctx,
UINT count_inserts = 0;
DWORD i = 0;

while (winevtlog_next(ch, hit_threshold)) {
while (winevtlog_next(ch, ctx, hit_threshold)) {
for (i = 0; i < ch->count; i++) {
if (ctx->render_event_as_xml) {
system_xml = render_event(ch->events[i], EvtRenderEventXml, &system_size);
Expand Down

0 comments on commit 0bd350d

Please sign in to comment.