func windowsEventLogV1Processors()

in confgenerator/logging_receivers.go [536:607]

• 63 lines of code
• 1 McCabe index (conditional complexity)

func windowsEventLogV1Processors(ctx context.Context) ([]otel.Component, error) {
	// The winlog input in fluent-bit has a completely different structure, so we need to convert the OTel format into the fluent-bit format.
	var empty string
	p := &LoggingProcessorModifyFields{
		EmptyBody: true,
		Fields: map[string]*ModifyField{
			"jsonPayload.Channel":      {CopyFrom: "jsonPayload.channel"},
			"jsonPayload.ComputerName": {CopyFrom: "jsonPayload.computer"},
			"jsonPayload.Data": {
				CopyFrom:     "jsonPayload.event_data.binary",
				DefaultValue: &empty,
				CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
					return v.Set(ottl.ConvertCase(v, "lower"))
				},
			},
			// TODO: OTel puts the human-readable category at jsonPayload.task, but we need them to add the integer version.
			//"jsonPayload.EventCategory": {StaticValue: "0", Type: "integer"},
			"jsonPayload.EventID": {CopyFrom: "jsonPayload.event_id.id"},
			"jsonPayload.EventType": {
				CopyFrom: "jsonPayload.level",
				CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
					// TODO: What if there are multiple keywords?
					keywords := ottl.LValue{"cache", "body", "keywords"}
					keyword0 := ottl.RValue(`cache["body"]["keywords"][0]`)
					return ottl.NewStatements(
						v.SetIf(ottl.StringLiteral("SuccessAudit"), ottl.And(
							keywords.IsPresent(),
							ottl.IsNotNil(keyword0),
							ottl.Equals(keyword0, ottl.StringLiteral("Audit Success")),
						)),
						v.SetIf(ottl.StringLiteral("FailureAudit"), ottl.And(
							keywords.IsPresent(),
							ottl.IsNotNil(keyword0),
							ottl.Equals(keyword0, ottl.StringLiteral("Audit Failure")),
						)),
					)
				},
			},
			// TODO: Fix OTel receiver to provide raw non-parsed messages.
			"jsonPayload.Message":      {CopyFrom: "jsonPayload.message"},
			"jsonPayload.Qualifiers":   {CopyFrom: "jsonPayload.event_id.qualifiers"},
			"jsonPayload.RecordNumber": {CopyFrom: "jsonPayload.record_id"},
			"jsonPayload.Sid": {
				CopyFrom:     "jsonPayload.security.user_id",
				DefaultValue: &empty,
			},
			"jsonPayload.SourceName": {
				CopyFrom: "jsonPayload.provider.name",
				CustomConvertFunc: func(v ottl.LValue) ottl.Statements {
					// Prefer jsonPayload.provider.event_source if present and non-empty
					eventSource := ottl.LValue{"cache", "body", "provider", "event_source"}
					return v.SetIf(
						eventSource,
						ottl.And(
							eventSource.IsPresent(),
							ottl.Not(ottl.Equals(
								eventSource,
								ottl.StringLiteral(""),
							)),
						),
					)
				},
			},
			// TODO: Convert from array of maps to array of strings
			"jsonPayload.StringInserts": {CopyFrom: "jsonPayload.event_data.data"},
			// TODO: Reformat? (v1 was "YYYY-MM-DD hh:mm:ss +0000", OTel is "YYYY-MM-DDThh:mm:ssZ")
			"jsonPayload.TimeGenerated": {CopyFrom: "jsonPayload.system_time"},
			// TODO: Reformat?
			"jsonPayload.TimeWritten": {CopyFrom: "jsonPayload.system_time"},
		}}
	return p.Processors(ctx)
}