add eventchannel support for ossec agent on windows vista or greater

[gaelmuller]

This pull request adds a new feature to the windows agent, to be able to monitor "Application and Services Logs" that appeared with Windows Vista. This is not currently possible (OSSEC will read the "Applications" eventlog instead).

Previous discussions on this topic:

• https://groups.google.com/forum/#!searchin/ossec-list/eventlog/ossec-list/9AhapIAjMOk/SFRzG38XAQ4J
• https://groups.google.com/forum/#!msg/ossec-list/C9jmVkAmiRg/_3zj0Fw_v_EJ

For example, we can now monitor the "Microsoft-Windows-PrintService/Operational" eventlog with this config:

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

By default, OSSEC will keep track of where it was before stopping, which means that it will read (at start time) all events that occured between stop and start in order not to miss any event. However, you can cancel this behaviour with the "only-future-events" parameter:

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
  <only-future-events>yes</only-future-events>
</localfile>

You can also use an XPATH query if you are not interrested in all the events (see the event schema to construct queries: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201%28v=vs.85%29.aspx):

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
  <only-future-events>yes</only-future-events>
  <query>Event/System[EventID=7040]</query>
</localfile>

With this config, OSSEC will only receive events from the "System" eventlog that have an event ID equal to 7040.

Few things to note:

• When changing the configuration, you should delete saved bookmarks (in the "bookmarks" directory) if you want to avoid unwanted behaviour (getting two much eventlog history on start)
• This relies on relatively new APIs available on Windows Vista or greater. This has two implications:
  • We cannot use mingw32 to compile anymore, because it is missing these APIs. That is why this PR uses mingw-w64 (which explains a few changes in this PR not related to the added feature).
  • We now have to generate two distinct installers: "ossec-win32-agent.exe" and "ossec-win32-agent-with-eventchannel.exe" because the new one cannot be used on systems older than Vista. We could have only one if we dropped compatibility with older systems (such as Windows XP). This is obvioulsy not wanted at this time.

Note: replaces PR 27 (contained two many commits for an unknown reason ...)

[gaelmuller]

To answer questions posted on the previous PR:

• No, we cannot have only one binary because we are cross compiling it (so we can't decide if we include the feature or not)
• No, the new installer should not be called ossec-win64-agent.exe because it is still a 32bits binary

[jrossi]

I think the two installers would be temp only. Moving to a msi installer we could install the correct version just packages them up together. But that is not for now 🎱

I do have a question about the bookmarks directory. Does this have downsides. Can this fill up a disk or have effects on the windows system as a whole?

[gaelmuller]

There is no risk. The bookmarks directory only contains one file per eventlog monitored, and each file only contains one bookmark at a time (less than 400 bytes).

Note that this directory is not used when setting "only-future-events".