From 915ef5e48044341a0b1d5ad9c266a81822cae834 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Mon, 31 Oct 2022 23:45:47 -0400 Subject: [PATCH 01/10] Fix win event message to insert strings for placeholders --- .../windows_event_log/wineventlog/utils.go | 41 +++++++++++++++++++ .../wineventlog/wineventlog.go | 4 +- .../wineventlog/wineventlogrecord.go | 8 ++++ 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils.go b/plugins/inputs/windows_event_log/wineventlog/utils.go index ca57856007..b0fc440e1e 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils.go @@ -11,6 +11,8 @@ import ( "fmt" "io/ioutil" "log" + "strconv" + "strings" "syscall" "time" @@ -168,3 +170,42 @@ func WindowsEventLogLevelName(levelId int32) string { return UNKNOWN } } + +func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { + if len(evtDataValues) == 0 { + return rawMessage + } + var sb strings.Builder + prevIndex := 0 + searchingIndex := false + for i, c := range rawMessage { + if searchingIndex { + if c > 57 || c < 48 { + ind, err := strconv.Atoi(rawMessage[prevIndex+1 : i]) + if err == nil && ind <= len(evtDataValues) && ind > 0 { + sb.WriteString(evtDataValues[ind-1].Value) + } else { + sb.WriteString(rawMessage[prevIndex:i]) + } + prevIndex = i + if c != 37 { + searchingIndex = false + } + } + } else { + if c == 37 { + sb.WriteString(rawMessage[prevIndex:i]) + searchingIndex = true + prevIndex = i + } + + } + } + ind, err := strconv.Atoi(rawMessage[prevIndex+1:]) + if searchingIndex && err == nil && ind <= len(evtDataValues) && ind > 0 { + sb.WriteString(evtDataValues[ind-1].Value) + } else { + sb.WriteString(rawMessage[prevIndex:]) + } + return sb.String() +} diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go index 656839bc52..ed070e0a5d 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go @@ -331,7 +331,7 @@ func (w *windowsEventLog) getRecord(evtHandle EvtHandle) (*windowsEventLogRecord switch w.renderFormat { case FormatXml, FormatDefault: //XML format - newRecord.XmlFormatContent = string(descriptionBytes) + newRecord.XmlFormatContent = insertPlaceholderValues(string(descriptionBytes), newRecord.EventData.Values) case FormatPlainText: //old SSM agent Windows format var recordMessage eventMessage @@ -339,7 +339,7 @@ func (w *windowsEventLog) getRecord(evtHandle EvtHandle) (*windowsEventLogRecord if err != nil { return nil, fmt.Errorf("Unmarshal() err %v", err) } - newRecord.System.Description = recordMessage.Message + newRecord.System.Description = insertPlaceholderValues(recordMessage.Message, newRecord.EventData.Values) default: return nil, fmt.Errorf("renderFormat is not recognized, %s", w.renderFormat) } diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go index 33f88164fc..9eaaf571d2 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go @@ -45,6 +45,10 @@ type windowsEventLogRecord struct { Name string `xml:"Name,attr"` } `xml:"Provider"` } `xml:"System"` + + EventData struct { + Values []Data `xml:",any"` + } `xml:"EventData"` } func newEventLogRecord(l *windowsEventLog) *windowsEventLogRecord { @@ -78,3 +82,7 @@ func (record *windowsEventLogRecord) Value() (valueString string, err error) { func (record *windowsEventLogRecord) Timestamp() string { return fmt.Sprint(record.System.TimeCreated.SystemTime.UnixNano()) } + +type Data struct { + Value string `xml:",chardata"` +} From c6a41c96f740c734610227de0bdca4fdd3589e51 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Tue, 1 Nov 2022 01:26:00 -0400 Subject: [PATCH 02/10] Add test cases for insertion strings --- .../wineventlog/utils_test.go | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils_test.go b/plugins/inputs/windows_event_log/wineventlog/utils_test.go index 7b05d93350..5bea3b68ec 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils_test.go @@ -77,6 +77,43 @@ func TestFullBufferUsedWithHalfUsedSizeReturned(t *testing.T) { assert.Equal(t, bufferUsed, len(str)) } +func TestInsertPlaceholderValues(t *testing.T) { + evtDataValues := []Data{ + {"value_1"}, {"value_2"}, {"value_3"}, {"value_4"}, + } + tests := []struct { + name string + message string + expected string + }{ + { + "Placeholders %{number} should be replaced by insertion strings", + "Service %1 in region %3 stop at %2", + "Service value_1 in region value_3 stop at value_2", + }, + { + "Index should start from 1 and less than or equal to the amount of values in event data", + "%0 %3 %5", + "%0 value_3 %5", + }, + { + "Handle consecutive % characters", + "%1 %%3% %2", + "value_1 %value_3%value_2", + }, + { + "Handle % character at the end of message", + "%3 %2%", + "value_3 value_2%", + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + assert.Equal(t, tc.expected, insertPlaceholderValues(tc.message, evtDataValues)) + }) + } +} + func resetState() { NumberOfBytesPerCharacter = 0 } From e197f448c380a3d96c14224576d3d9f5572ab965 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Tue, 1 Nov 2022 01:50:58 -0400 Subject: [PATCH 03/10] Add comment to insertPlaceholderValues --- .../inputs/windows_event_log/wineventlog/utils.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils.go b/plugins/inputs/windows_event_log/wineventlog/utils.go index b0fc440e1e..449ee45e7c 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils.go @@ -171,6 +171,13 @@ func WindowsEventLogLevelName(levelId int32) string { } } +// In some cases wevtapi does not insert values when formatting the message. The message +// will contain insertion string placeholders, of the form %n, where %1 indicates the first +// insertion string, and so on. Noted that wevtapi start the index with 1. +// https://learn.microsoft.com/en-us/windows/win32/eventlog/event-identifiers#insertion-strings +// +// If we see those data in the `EventData` section, `insertPlaceholderValues` format the message +// with the correct values func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { if len(evtDataValues) == 0 { return rawMessage @@ -179,20 +186,26 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { prevIndex := 0 searchingIndex := false for i, c := range rawMessage { + // found `%` previously. Determine the index number from the following character(s) if searchingIndex { + // found the 1st char other than [0-9] if c > 57 || c < 48 { ind, err := strconv.Atoi(rawMessage[prevIndex+1 : i]) + // Convert the Slice since the last `%` and see if it's a valid number. + // If the index is in [1 - len(evtDataValues)], get it from evtDataValues. if err == nil && ind <= len(evtDataValues) && ind > 0 { sb.WriteString(evtDataValues[ind-1].Value) } else { sb.WriteString(rawMessage[prevIndex:i]) } prevIndex = i + // In case of consecutive `%`, continue searching for the next index if c != 37 { searchingIndex = false } } } else { + // ascii code of `%` is 37 if c == 37 { sb.WriteString(rawMessage[prevIndex:i]) searchingIndex = true @@ -201,6 +214,7 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { } } + // handle the slice sine the last `%` to the end of rawMessage ind, err := strconv.Atoi(rawMessage[prevIndex+1:]) if searchingIndex && err == nil && ind <= len(evtDataValues) && ind > 0 { sb.WriteString(evtDataValues[ind-1].Value) From 3dcd0f6060afefffb8eab39d0f9e89ba5766849f Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Tue, 1 Nov 2022 02:57:18 -0400 Subject: [PATCH 04/10] Update test and test cases for insertPlaceholderValues --- .../windows_event_log/wineventlog/utils.go | 32 ++++++++----------- .../wineventlog/utils_test.go | 2 +- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils.go b/plugins/inputs/windows_event_log/wineventlog/utils.go index 449ee45e7c..91466a3467 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils.go @@ -187,26 +187,22 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { searchingIndex := false for i, c := range rawMessage { // found `%` previously. Determine the index number from the following character(s) - if searchingIndex { - // found the 1st char other than [0-9] - if c > 57 || c < 48 { - ind, err := strconv.Atoi(rawMessage[prevIndex+1 : i]) - // Convert the Slice since the last `%` and see if it's a valid number. - // If the index is in [1 - len(evtDataValues)], get it from evtDataValues. - if err == nil && ind <= len(evtDataValues) && ind > 0 { - sb.WriteString(evtDataValues[ind-1].Value) - } else { - sb.WriteString(rawMessage[prevIndex:i]) - } - prevIndex = i - // In case of consecutive `%`, continue searching for the next index - if c != 37 { - searchingIndex = false - } + if searchingIndex && (c > '9' || c < '0') { + // Convert the Slice since the last `%` and see if it's a valid number. + ind, err := strconv.Atoi(rawMessage[prevIndex+1 : i]) + // If the index is in [1 - len(evtDataValues)], get it from evtDataValues. + if err == nil && ind <= len(evtDataValues) && ind > 0 { + sb.WriteString(evtDataValues[ind-1].Value) + } else { + sb.WriteString(rawMessage[prevIndex:i]) + } + prevIndex = i + // In case of consecutive `%`, continue searching for the next index + if c != '%' { + searchingIndex = false } } else { - // ascii code of `%` is 37 - if c == 37 { + if c == '%' { sb.WriteString(rawMessage[prevIndex:i]) searchingIndex = true prevIndex = i diff --git a/plugins/inputs/windows_event_log/wineventlog/utils_test.go b/plugins/inputs/windows_event_log/wineventlog/utils_test.go index 5bea3b68ec..83bdc1bff4 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils_test.go @@ -99,7 +99,7 @@ func TestInsertPlaceholderValues(t *testing.T) { { "Handle consecutive % characters", "%1 %%3% %2", - "value_1 %value_3%value_2", + "value_1 %value_3% value_2", }, { "Handle % character at the end of message", From 6edc17b719cf64fd48664015c57dcda7e94ef07c Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Tue, 1 Nov 2022 04:23:59 -0400 Subject: [PATCH 05/10] Add UserData as a source of insertion strings --- .../wineventlog/wineventlog.go | 10 +++- .../wineventlog/wineventlogrecord.go | 46 +++++++++++++++++-- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go index ed070e0a5d..09684ec5d9 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go @@ -328,10 +328,16 @@ func (w *windowsEventLog) getRecord(evtHandle EvtHandle) (*windowsEventLogRecord return nil, fmt.Errorf("utf16ToUTF8Bytes() err %v", err) } + // The insertion strings could be in either EventData or UserData + dataValues := newRecord.EventData.Values + // The UserData section is used if EventData is empty + if len(dataValues) == 0 { + dataValues = newRecord.UserData.Values + } switch w.renderFormat { case FormatXml, FormatDefault: //XML format - newRecord.XmlFormatContent = insertPlaceholderValues(string(descriptionBytes), newRecord.EventData.Values) + newRecord.XmlFormatContent = insertPlaceholderValues(string(descriptionBytes), dataValues) case FormatPlainText: //old SSM agent Windows format var recordMessage eventMessage @@ -339,7 +345,7 @@ func (w *windowsEventLog) getRecord(evtHandle EvtHandle) (*windowsEventLogRecord if err != nil { return nil, fmt.Errorf("Unmarshal() err %v", err) } - newRecord.System.Description = insertPlaceholderValues(recordMessage.Message, newRecord.EventData.Values) + newRecord.System.Description = insertPlaceholderValues(recordMessage.Message, dataValues) default: return nil, fmt.Errorf("renderFormat is not recognized, %s", w.renderFormat) } diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go index 9eaaf571d2..26dc63e145 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go @@ -7,6 +7,7 @@ package wineventlog import ( + "encoding/xml" "fmt" "strconv" "time" @@ -46,9 +47,8 @@ type windowsEventLogRecord struct { } `xml:"Provider"` } `xml:"System"` - EventData struct { - Values []Data `xml:",any"` - } `xml:"EventData"` + EventData EventData `xml:"EventData"` + UserData UserData `xml:"UserData"` } func newEventLogRecord(l *windowsEventLog) *windowsEventLogRecord { @@ -83,6 +83,46 @@ func (record *windowsEventLogRecord) Timestamp() string { return fmt.Sprint(record.System.TimeCreated.SystemTime.UnixNano()) } +type EventData struct { + Values []Data `xml:",any"` +} + +type UserData struct { + Values []Data `xml:",any"` +} + +// UserData has slightly different schema than EventData so that we need to overrid this +// unmarshal function to get similar structure +// +// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-userdatatype-complextype +// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-eventdatatype-complextype +func (u *UserData) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { + in := struct { + Values []Data `xml:",any"` + }{} + + // Read tokens until we find the first StartElement then unmarshal it. + for { + t, err := d.Token() + if err != nil { + return err + } + + if se, ok := t.(xml.StartElement); ok { + err = d.DecodeElement(&in, &se) + if err != nil { + return err + } + + u.Values = in.Values + d.Skip() + break + } + } + + return nil +} + type Data struct { Value string `xml:",chardata"` } From 3d40e168d85ef462fd490a9dacb339e9e21b4c67 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Wed, 2 Nov 2022 14:32:22 -0400 Subject: [PATCH 06/10] Fix typo in comments. Update comments. Rename variable names --- .../windows_event_log/wineventlog/utils.go | 12 +++++----- .../wineventlog/utils_test.go | 17 +++++++++++++- .../wineventlog/wineventlog.go | 8 +++++-- .../wineventlog/wineventlogrecord.go | 23 +++++++++---------- 4 files changed, 39 insertions(+), 21 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils.go b/plugins/inputs/windows_event_log/wineventlog/utils.go index 91466a3467..fd3ee10f81 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils.go @@ -171,15 +171,15 @@ func WindowsEventLogLevelName(levelId int32) string { } } +// insertPlaceholderValues formats the message with the correct values if we see those data +// in evtDataValues. +// // In some cases wevtapi does not insert values when formatting the message. The message // will contain insertion string placeholders, of the form %n, where %1 indicates the first // insertion string, and so on. Noted that wevtapi start the index with 1. // https://learn.microsoft.com/en-us/windows/win32/eventlog/event-identifiers#insertion-strings -// -// If we see those data in the `EventData` section, `insertPlaceholderValues` format the message -// with the correct values -func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { - if len(evtDataValues) == 0 { +func insertPlaceholderValues(rawMessage string, evtDataValues []Datum) string { + if len(evtDataValues) == 0 || len(rawMessage) == 0 { return rawMessage } var sb strings.Builder @@ -210,7 +210,7 @@ func insertPlaceholderValues(rawMessage string, evtDataValues []Data) string { } } - // handle the slice sine the last `%` to the end of rawMessage + // handle the slice since the last `%` to the end of rawMessage ind, err := strconv.Atoi(rawMessage[prevIndex+1:]) if searchingIndex && err == nil && ind <= len(evtDataValues) && ind > 0 { sb.WriteString(evtDataValues[ind-1].Value) diff --git a/plugins/inputs/windows_event_log/wineventlog/utils_test.go b/plugins/inputs/windows_event_log/wineventlog/utils_test.go index 83bdc1bff4..40586504d3 100644 --- a/plugins/inputs/windows_event_log/wineventlog/utils_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/utils_test.go @@ -78,7 +78,7 @@ func TestFullBufferUsedWithHalfUsedSizeReturned(t *testing.T) { } func TestInsertPlaceholderValues(t *testing.T) { - evtDataValues := []Data{ + evtDataValues := []Datum{ {"value_1"}, {"value_2"}, {"value_3"}, {"value_4"}, } tests := []struct { @@ -91,6 +91,16 @@ func TestInsertPlaceholderValues(t *testing.T) { "Service %1 in region %3 stop at %2", "Service value_1 in region value_3 stop at value_2", }, + { + "String without a placeholder should remain the same after insertion", + "This is a sentence without placeholders", + "This is a sentence without placeholders", + }, + { + "Empty string should remain the same", + "", + "", + }, { "Index should start from 1 and less than or equal to the amount of values in event data", "%0 %3 %5", @@ -106,6 +116,11 @@ func TestInsertPlaceholderValues(t *testing.T) { "%3 %2%", "value_3 value_2%", }, + { + "Characters after a % other than numbers should be ignored", + "%foo, %foo1, %#$%^&1", + "%foo, %foo1, %#$%^&1", + }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go index 09684ec5d9..0dd349397b 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlog.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlog.go @@ -329,10 +329,14 @@ func (w *windowsEventLog) getRecord(evtHandle EvtHandle) (*windowsEventLogRecord } // The insertion strings could be in either EventData or UserData - dataValues := newRecord.EventData.Values + // Notes on the insertion strings: + // - The EvtFormatMessage has the valueCount and values parameters, yet it does not work when we tried passing + // EventData/UserData into those parameters. We can later do more research on making EvtFormatMessage with + // valueCount and values parameters works and compare if there is any benefit. + dataValues := newRecord.EventData.Data // The UserData section is used if EventData is empty if len(dataValues) == 0 { - dataValues = newRecord.UserData.Values + dataValues = newRecord.UserData.Data } switch w.renderFormat { case FormatXml, FormatDefault: diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go index 26dc63e145..516f5b6b01 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord.go @@ -83,23 +83,26 @@ func (record *windowsEventLogRecord) Timestamp() string { return fmt.Sprint(record.System.TimeCreated.SystemTime.UnixNano()) } +type Datum struct { + Value string `xml:",chardata"` +} + type EventData struct { - Values []Data `xml:",any"` + Data []Datum `xml:",any"` } type UserData struct { - Values []Data `xml:",any"` + Data []Datum `xml:",any"` } -// UserData has slightly different schema than EventData so that we need to overrid this -// unmarshal function to get similar structure +// UnmarshalXML unmarshals the UserData section in the windows event xml to UserData struct // +// UserData has slightly different schema than EventData so that we need to override this +// to get similar structure // https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-userdatatype-complextype // https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-eventdatatype-complextype func (u *UserData) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { - in := struct { - Values []Data `xml:",any"` - }{} + in := EventData{} // Read tokens until we find the first StartElement then unmarshal it. for { @@ -114,7 +117,7 @@ func (u *UserData) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { return err } - u.Values = in.Values + u.Data = in.Data d.Skip() break } @@ -122,7 +125,3 @@ func (u *UserData) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { return nil } - -type Data struct { - Value string `xml:",chardata"` -} From 04da18cfb28bfc494834b54292be8100f6f0b879 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Wed, 2 Nov 2022 14:36:44 -0400 Subject: [PATCH 07/10] Add test cases for EventData/UserData in windowsEventLogRecord --- .../wineventlog/wineventlogrecord_test.go | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go new file mode 100644 index 0000000000..3ecf8ec9b0 --- /dev/null +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go @@ -0,0 +1,67 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: MIT + +//go:build windows +// +build windows + +package wineventlog + +import ( + "encoding/xml" + "github.com/stretchr/testify/assert" + "testing" +) + +func TestUnmarshalWinEvtRecord(t *testing.T) { + tests := []struct { + xml string + wEvtRecord windowsEventLogRecord + }{ + { + xml: ` + + + 2022-10-28T22:33:25Z + RulesEngine + 2 + + + `, + wEvtRecord: windowsEventLogRecord{ + EventData: EventData{ + Data: []Datum{ + {"2022-10-28T22:33:25Z"}, + {"RulesEngine"}, + {"2"}, + }, + }, + }, + }, + { + xml: ` + + + + 0 + 2022-10-26T20:24:13.4253261Z + + + + `, + wEvtRecord: windowsEventLogRecord{ + UserData: UserData{ + Data: []Datum{ + {"0"}, + {"2022-10-26T20:24:13.4253261Z"}, + }, + }, + }, + }, + } + + for _, test := range tests { + record := new(windowsEventLogRecord) + xml.Unmarshal([]byte(test.xml), record) + assert.Equal(t, test.wEvtRecord, record) + } +} From 7daa2537204bb2d58ee5db3204fa2db78c1b0297 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Wed, 2 Nov 2022 15:12:34 -0400 Subject: [PATCH 08/10] Fix TestUnmarshalWinEvtRecord to use pointer --- .../windows_event_log/wineventlog/wineventlogrecord_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go index 3ecf8ec9b0..eb82395310 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go @@ -61,7 +61,7 @@ func TestUnmarshalWinEvtRecord(t *testing.T) { for _, test := range tests { record := new(windowsEventLogRecord) - xml.Unmarshal([]byte(test.xml), record) + xml.Unmarshal([]byte(test.xml), &record) assert.Equal(t, test.wEvtRecord, record) } } From 79f98f528537a4d6be957ef199f4116a68c58e6a Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Wed, 2 Nov 2022 15:34:05 -0400 Subject: [PATCH 09/10] Fix TestUnmarshalWinEvtRecord to use pointer --- .../windows_event_log/wineventlog/wineventlogrecord_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go index eb82395310..90bd565ed5 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go @@ -61,7 +61,7 @@ func TestUnmarshalWinEvtRecord(t *testing.T) { for _, test := range tests { record := new(windowsEventLogRecord) - xml.Unmarshal([]byte(test.xml), &record) - assert.Equal(t, test.wEvtRecord, record) + xml.Unmarshal([]byte(test.xml), record) + assert.Equal(t, test.wEvtRecord, &record) } } From dbc4bf4f3edaf25f7cef02f985ee1e65742adfc9 Mon Sep 17 00:00:00 2001 From: Thomas Yang Date: Wed, 2 Nov 2022 15:58:50 -0400 Subject: [PATCH 10/10] Fix pointer issue in TestUnmarshalWinEvtRecord --- .../windows_event_log/wineventlog/wineventlogrecord_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go index 90bd565ed5..e07c600e2f 100644 --- a/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go +++ b/plugins/inputs/windows_event_log/wineventlog/wineventlogrecord_test.go @@ -60,8 +60,8 @@ func TestUnmarshalWinEvtRecord(t *testing.T) { } for _, test := range tests { - record := new(windowsEventLogRecord) - xml.Unmarshal([]byte(test.xml), record) - assert.Equal(t, test.wEvtRecord, &record) + var record windowsEventLogRecord + xml.Unmarshal([]byte(test.xml), &record) + assert.Equal(t, test.wEvtRecord, record) } }