Windows events

[cyriltovena]

What this PR does / why we need it:

This PR introduces support for reading windows event logs with Promtail and send them to Loki.

It support saving the position of which events has been sent to avoid skipping logs during rollout or service interuption.

Which issue(s) this PR fixes:
Fixes #1395

Special notes for your reviewer:

I have forked telegraf windows event library in our repo to make it fit our scrape/push model. I'm using mostly syscall and event definition there. see https://github.com/influxdata/telegraf/tree/master/plugins/inputs/win_eventlog

Checklist

• Documentation added
• Tests updated

[codecov-io]

Codecov Report

Merging #3246 (5062184) into master (8716e24) will increase coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3246      +/-   ##
==========================================
+ Coverage   63.06%   63.08%   +0.02%     
==========================================
  Files         198      198              
  Lines       16796    16796              
==========================================
+ Hits        10592    10596       +4     
+ Misses       5239     5236       -3     
+ Partials      965      964       -1     

Impacted Files	Coverage Δ
pkg/promtail/scrapeconfig/scrapeconfig.go	12.00% <ø> (ø)
pkg/promtail/targets/file/tailer.go	75.00% <0.00%> (+1.78%)	⬆️
pkg/querier/queryrange/downstreamer.go	97.64% <0.00%> (+2.35%)	⬆️

[rfratto]

This is exciting! 🎉

[owen-d]

Started review, left a few nits

[owen-d]

Finished review, there's a few nits and one []byte mis-instantiation, then I'll approve.

[cyriltovena]

Started review, left a few nits

Will check it out.

[simnv]

4kb will not be enough for complex event filters

[cyriltovena]

You have an example ? what would be a good value ? Thanks for the feedback

[simnv]

By hitting some filters in Custom View of Windows Event Viewer and exporting resulting filter XML, I am easily getting a 8kb file. Bookmark with that filter takes a little bit more space.

Telegraf uses a 16kb buffer, and it's a better default value, enough for most cases.

The best way would be going full winapi: calling _EvtRender with zero as buf pointer value. It will return error, but also put the required length into bufferUsed. So then we can make buffer of required length and call _EvtRender again, this time with the newly created buffer pointer. It is a less performant way, and there can be a headache of memory allocating and freeing, but it is bulletproof.

Thank you very much for this PR btw! I made like 75% of porting Telegraf code to Loki, but got stuck at the polling loop, didn't find the satisfying method to do polls and got carried away by other duties. I like Loki, but extending it is such nontrivial work comparing to Telegraf, so many core files to change with custom targets, it is very unfriendly.

[cyriltovena]

I like Loki, but extending it is such nontrivial work comparing to Telegraf, so many core files to change with custom targets, it is very unfriendly.

Sorry about that ! We'll try to get better at this.

[cyriltovena]

I'll increase the buffer :) before we cut a new release