-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(inputs.win_eventlog): Handle remote events more robustly. #12375
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merge once debug statement is removed!
Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip. 📦 Click here to get additional PR build artifactsArtifact URLs |
(cherry picked from commit 7b5b342)
resolves #12328
This PR fixes a panic in
inputs.win_eventlog
for cases where events are sent by a remote machine (i.e. via Windows-event-forwarding) which is unavailable at the time Telegraf gathers those events. The root cause is that Windows'EvtFormatMessage
syscall is expecting a handle to the publisher (i.e. the machine that sent the event) which is becoming invalid if that publisher is down. As a consequence Windows throws an exception (read Golang panic) instead of returning a simple error.The implemented approach is to completely avoid the
EvtFormatMessage
syscall for remote events and instead use theRenderingInfo
attached to the event itself (only existing for remote events).