Skip to content

Commit

Permalink
introduce new way of getting process name in loki source windows event
Browse files Browse the repository at this point in the history
  • Loading branch information
@wildum
wildum committed Feb 6, 2025
1 parent ab09bcb commit 1fca129
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 2 deletions.
39 changes: 38 additions & 1 deletion internal/component/loki/source/windowsevent/format.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,14 @@ package windowsevent

import (
"fmt"
"path/filepath"
"syscall"

"github.com/go-kit/log"
"github.com/go-kit/log/level"

jsoniter "github.com/json-iterator/go"
"golang.org/x/sys/windows"

"github.com/grafana/loki/v3/clients/pkg/promtail/scrapeconfig"
"github.com/grafana/loki/v3/clients/pkg/promtail/targets/windows/win_eventlog"
Expand Down Expand Up @@ -59,7 +64,7 @@ type Correlation struct {
}

// formatLine format a Loki log line from a windows event.
func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.Event) (string, error) {
func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.Event, l log.Logger) (string, error) {
structuredEvent := Event{
Source: event.Source.Name,
Channel: event.Channel,
Expand Down Expand Up @@ -113,9 +118,41 @@ func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.
ThreadID: event.Execution.ThreadID,
}
_, _, processName, err := win_eventlog.GetFromSnapProcess(event.Execution.ProcessID)
newProcessName, err := GetProcessName(event.Execution.ProcessID)

if processName != newProcessName {
level.Error(l).Log("msg", "process names are different", "legacy", processName, "new", newProcessName)
}

if err == nil {
structuredEvent.Execution.ProcessName = processName
}
}
return jsoniter.MarshalToString(structuredEvent)
}

func GetProcessName(pid uint32) (string, error) {
// PID 4 is always System
if pid == 4 {
return "System", nil
}

// PID 0 is always Idle Process
if pid == 0 {
return "Idle Process", nil
}

handle, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
if err != nil {
return "", fmt.Errorf("failed to open process %d: %w", pid, err)
}
defer windows.CloseHandle(handle)

var buf [windows.MAX_PATH]uint16
size := uint32(len(buf))
err = windows.QueryFullProcessImageName(handle, 0, &buf[0], &size)
if err != nil {
return "", fmt.Errorf("failed to get process name for %d: %w", pid, err)
}
return filepath.Base(windows.UTF16ToString(buf[:size])), nil
}
2 changes: 1 addition & 1 deletion internal/component/loki/source/windowsevent/target.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ func (t *Target) renderEntries(events []win_eventlog.Event) []api.Entry {
entry.Labels[model.LabelName(lbl.Name)] = model.LabelValue(lbl.Value)
}

line, err := formatLine(t.cfg, event)
line, err := formatLine(t.cfg, event, t.logger)
if err != nil {
level.Warn(t.logger).Log("msg", "error formatting event", "err", err)
continue
Expand Down

0 comments on commit 1fca129

Please sign in to comment.