Skip to content

Refactor Windows Filter flags #1926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Refactor Windows Filter flags #1926

wants to merge 10 commits into from

Conversation

@agarakan
Copy link
Contributor

@agarakan agarakan commented Oct 29, 2025
edited
Loading

Description of the issue

Move the Windows feature flag detection into the useragent.go component

Description of changes

Removes logic from windows_event_log.go and implements refactored solution in useragent.go including testing

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

make lint
make fmt
make fmt-sh
make test

Ran agent on windows instance for e2e test. See userAgent headers with expected fllters

> CWAgent/1.300061.0-4-gc5012da5
  (go1.24.7; windows; amd64)
  ID/65cffef8-5155-46fe-a8f4-6e19b15b0e3c
  inputs:(nop run_as_user windows_event_log)
  outputs:(cloudwatchlogs nop)
  feature:(win_event_filters win_event_ids win_event_levels)
  aws-sdk-go/1.48.6
  (go1.24.7; windows; amd64)
  exec-env/EC2

using CWA config

{
  "agent": {
    "debug": true
  },
  "logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "System",
            "event_levels": [
              "INFORMATION",
              "WARNING",
              "ERROR"
            ],
            "event_ids": [
              7036,
              7040
            ],
            "filters": [
              {
                "type": "include",
                "expression": "EventID=7036"
              }
            ],
            "log_group_name": "windows-system-events",
            "log_stream_name": "{instance_id}",
            "retention_in_days": 1
          },
          {
            "event_name": "Application",
            "event_levels": [
              "ERROR",
              "CRITICAL"
            ],
            "event_format": "xml",
            "log_group_name": "windows-app-events",
            "log_stream_name": "{instance_id}",
            "retention_in_days": 1
          }
        ]
      }
    }
  }
}


Feature Flag Triggers:
• 🔹 flagWindowsEventIDs → "event_ids": [7036, 7040]
• 🔹 flagWindowsEventFilters →
"filters": [{"type": "include", "expression": "EventID=7036"}]
• 🔹 flagWindowsEventLevels →
"event_levels": ["INFORMATION", "WARNING", "ERROR"]

See CloudTrail command to retrieve UserAgent from the CW event header once CWA started with above config

ws cloudtrail lookup-events --region us-west-2 \
  --lookup-attributes AttributeKey=Username,AttributeValue=i-redacted \
  --max-results 20 \
  --query 'Events[?EventSource==`logs.amazonaws.com`] | [0].CloudTrailEvent' \
  --output text | jq -r '.userAgent'

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@agarakan agarakan added the ready for testing Indicates this PR is ready for integration tests to run label Oct 29, 2025
@agarakan agarakan changed the title Refactor Refactor Windows Filter Adoption Metrics Oct 29, 2025
@agarakan agarakan marked this pull request as ready for review October 29, 2025 17:37
@agarakan agarakan requested a review from a team as a code owner October 29, 2025 17:37
sky333999
sky333999 previously approved these changes Oct 30, 2025
View reviewed changes
TravisStark
TravisStark previously approved these changes Oct 30, 2025
View reviewed changes
jefchien
jefchien reviewed Oct 30, 2025
View reviewed changes
@agarakan agarakan dismissed stale reviews from TravisStark and sky333999 via f583738 October 30, 2025 22:37
jefchien
jefchien previously approved these changes Oct 31, 2025
View reviewed changes
@agarakan agarakan changed the title Refactor Windows Filter Adoption Metrics Refactor Windows Filter flags Oct 31, 2025
jefchien
jefchien previously approved these changes Oct 31, 2025
View reviewed changes
@TravisStark
Copy link
Contributor

TravisStark commented Oct 31, 2025

Nit: details are out of date from the latest changes regarding change locations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TravisStark TravisStark TravisStark left review comments

@jefchien jefchien jefchien left review comments

@sky333999 sky333999 sky333999 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

ready for testing Indicates this PR is ready for integration tests to run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@agarakan @TravisStark @jefchien @sky333999