in extensions/windows-event-log/ConsumeWindowsEventLog.cpp [112:197]
void ConsumeWindowsEventLog::onSchedule(core::ProcessContext& context, core::ProcessSessionFactory&) {
state_manager_ = context.getStateManager();
if (state_manager_ == nullptr) {
throw Exception(PROCESSOR_EXCEPTION, "Failed to get StateManager");
}
resolve_as_attributes_ = utils::parseBoolProperty(context, ResolveAsAttributes);
apply_identifier_function_ = utils::parseBoolProperty(context, IdentifierFunction);
header_delimiter_ = utils::parseOptionalProperty(context, EventHeaderDelimiter);
batch_commit_size_ = utils::parseU64Property(context, BatchCommitSize);
header_names_.clear();
if (auto header = context.getProperty(EventHeader)) {
auto keyValueSplit = utils::string::split(*header, ",");
for (const auto &kv : keyValueSplit) {
auto splitKeyAndValue = utils::string::split(kv, "=");
if (splitKeyAndValue.size() == 2) {
auto key = utils::string::trim(splitKeyAndValue.at(0));
auto value = utils::string::trim(splitKeyAndValue.at(1));
if (!insertHeaderName(header_names_, key, value)) {
logger_->log_error("{} is an invalid key for the header map", key);
}
} else if (splitKeyAndValue.size() == 1) {
auto key = utils::string::trim(splitKeyAndValue.at(0));
if (!insertHeaderName(header_names_, key, "")) {
logger_->log_error("{} is an invalid key for the header map", key);
}
}
}
}
regex_.reset();
if (auto identifier_matcher = context.getProperty(IdentifierMatcher); identifier_matcher && !identifier_matcher->empty()) {
regex_.emplace(*identifier_matcher);
}
output_format_ = utils::parseEnumProperty<cwel::OutputFormat>(context, OutputFormatProperty);
json_format_ = utils::parseEnumProperty<cwel::JsonFormat>(context, JsonFormatProperty);
if (output_format_ != cwel::OutputFormat::Plaintext && !hMsobjsDll_) {
char systemDir[MAX_PATH];
if (GetSystemDirectory(systemDir, sizeof(systemDir))) {
hMsobjsDll_ = LoadLibrary((systemDir + std::string("\\msobjs.dll")).c_str());
if (!hMsobjsDll_) {
LOG_LAST_ERROR(LoadLibrary);
}
} else {
LOG_LAST_ERROR(GetSystemDirectory);
}
}
path_ = wel::EventPath{context.getProperty(Channel).value()};
if (path_.kind() == wel::EventPath::Kind::FILE) {
logger_->log_debug("Using saved log file as log source");
} else {
logger_->log_debug("Using channel as log source");
}
std::string query = context.getProperty(Query).value_or("");
wstr_query_ = std::wstring(query.begin(), query.end());
bool processOldEvents = utils::parseBoolProperty(context, ProcessOldEvents);
if (!bookmark_) {
std::string bookmarkDir = context.getProperty(BookmarkRootDirectory).value_or("");
if (bookmarkDir.empty()) {
logger_->log_error("State Directory is empty");
throw Exception(PROCESS_SCHEDULE_EXCEPTION, "State Directory is empty");
}
bookmark_ = std::make_unique<Bookmark>(path_, wstr_query_, bookmarkDir, getUUID(), processOldEvents, state_manager_, logger_);
if (!*bookmark_) {
bookmark_.reset();
throw Exception(PROCESS_SCHEDULE_EXCEPTION, "Bookmark is empty");
}
}
max_buffer_size_ = utils::parseDataSizeProperty(context, MaxBufferSize);
logger_->log_debug("ConsumeWindowsEventLog: MaxBufferSize {}", max_buffer_size_);
cache_sid_lookups_ = utils::parseBoolProperty(context, CacheSidLookups);
logger_->log_debug("ConsumeWindowsEventLog: will{} cache SID to name lookups", cache_sid_lookups_ ? "" : " not");
provenanceUri_ = "winlog://" + computerName_ + "/" + path_.str() + "?" + query;
logger_->log_trace("Successfully configured CWEL");
}