Adds new Eventlog data provider

2026-02-03 04:09:29 -05:00 · 2024-02-14 11:09:36 +01:00 · 2024-02-14 11:09:36 +01:00 · fcd2d52736
commit fcd2d52736
parent c10b8f69bb
6 changed files with 370 additions and 0 deletions
--- a/doc/100-General/10-Changelog.md
+++ b/doc/100-General/10-Changelog.md
@ -24,6 +24,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#631](https://github.com/Icinga/icinga-powershell-framework/pull/631) Deduplicates `-C try { Use-Icinga ...` boilerplate by adding it to the `PowerShell Base` template and removing it from every single command
 * [#669](https://github.com/Icinga/icinga-powershell-framework/pull/669) Adds new metric to the CPU provider, allowing for distinguishing between the average total load as well as the sum of it
 * [#679](https://github.com/Icinga/icinga-powershell-framework/pull/679) Adds a new data provider for fetching process information of Windows systems, while sorting all objects based on a process name and their process id
+* [#682](https://github.com/Icinga/icinga-powershell-framework/pull/682) Adds new data provider for fetching Eventlog information to increase performance and reduce memory impact
 * [#688](https://github.com/Icinga/icinga-powershell-framework/pull/688) Adds new handling to add scheduled tasks in Windows for interacting with Icinga for Windows core functionality as well as an auto renewal task for the Icinga for Windows certificate generation
 * [#690](https://github.com/Icinga/icinga-powershell-framework/pull/690) Adds automatic renewal of the `icingaforwindows.pfx` certificate for the REST-Api daemon in case the certificate is not yet present, valid or changed during the runtime of the daemon while also making the `icingaforwindows.pfx` mandatory for all installations, regardless of JEA being used or not
 * [#692](https://github.com/Icinga/icinga-powershell-framework/pull/692) Renames `Restart-IcingaWindowsService` to `Restart-IcingaForWindows` and adds alias for backwards compatibility to start unifying the Icinga for Windows cmdlets
--- a/lib/provider/core/Get-IcingaProviderFilterData.psm1
+++ b/lib/provider/core/Get-IcingaProviderFilterData.psm1
@ -0,0 +1,24 @@
+function Get-IcingaProviderFilterData()
+{
+    param (
+        [string]$ProviderName      = '',
+        [hashtable]$ProviderFilter = @()
+    );
+
+    [hashtable]$FilterResult = @{ };
+
+    foreach ($filterObject in $ProviderFilter.Keys) {
+        if ($filterObject.ToLower() -ne $ProviderName.ToLower()) {
+            continue;
+        }
+
+        if ($FilterResult.ContainsKey($filterObject) -eq $FALSE) {
+            $FilterResult.Add(
+                $filterObject,
+                (New-IcingaProviderFilterObject -ProviderName $ProviderName -HashtableFilter $ProviderFilter[$filterObject])
+            );
+        }
+    }
+
+    return $FilterResult;
+}
--- a/lib/provider/core/New-IcingaProviderFilterObject.psm1
+++ b/lib/provider/core/New-IcingaProviderFilterObject.psm1
@ -0,0 +1,39 @@
+function New-IcingaProviderFilterObject()
+{
+    param (
+        [string]$ProviderName       = '',
+        [hashtable]$HashtableFilter = @{ }
+    );
+
+    if ([string]::IsNullOrEmpty($ProviderName)) {
+        return @{ };
+    }
+
+    [array]$ProviderFilterCmdlet = Get-Command ([string]::Format('New-IcingaProviderFilterData{0}', $ProviderName)) -ErrorAction SilentlyContinue;
+
+    if ($null -eq $ProviderFilterCmdlet -Or $ProviderFilterCmdlet.Count -eq 0) {
+        return @{ };
+    }
+
+    if ((Test-IcingaForWindowsCmdletLoader -Path $ProviderFilterCmdlet[0].Module.ModuleBase) -eq $FALSE) {
+        return @{ };
+    }
+
+    $FilterResult = & $ProviderFilterCmdlet[0].Name @HashtableFilter;
+
+    [string]$ObjectName = $ProviderName;
+    $CmdHelp            = Get-Help ($ProviderFilterCmdlet[0].Name) -ErrorAction SilentlyContinue;
+
+    if ($null -ne $CmdHelp) {
+        if ([string]::IsNullOrEmpty($CmdHelp.Role) -eq $FALSE) {
+            [string]$ObjectName = [string]($CmdHelp.Role);
+        }
+    }
+
+    $CmdHelp              = $null;
+    $ProviderFilterCmdlet = $null;
+
+    return @{
+        $ObjectName = $FilterResult;
+    };
+}
--- a/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1
+++ b/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1
@ -0,0 +1,28 @@
+function Add-IcingaProviderEventlogFilterData()
+{
+    param(
+        [string]$EventFilter = '',
+        $StringBuilderObject = $null
+    );
+
+    if ($null -eq $StringBuilderObject -Or $StringBuilderObject.Length -eq 0) {
+        return $EventFilter;
+    }
+
+    [string]$NewStringEntry = $StringBuilderObject.ToString();
+
+    $StringBuilderObject.Clear();
+    $StringBuilderObject = $null;
+
+    if ([string]::IsNullOrEmpty($NewStringEntry)) {
+        return $EventFilter;
+    }
+
+    if ([string]::IsNullOrEmpty($EventFilter)) {
+        return $NewStringEntry;
+    }
+
+    [string]$EventFilter = [string]::Format('{0} and {1}', $EventFilter, $NewStringEntry);
+
+    return $EventFilter;
+}
--- a/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1
+++ b/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1
@ -0,0 +1,20 @@
+function Get-IcingaProviderDataValuesEventlog()
+{
+    param (
+        [array]$IncludeFilter      = @(),
+        [array]$ExcludeFilter      = @(),
+        [hashtable]$ProviderFilter = @(),
+        [switch]$IncludeDetails    = $FALSE
+    );
+
+    $EventlogData            = New-IcingaProviderObject -Name 'Eventlog';
+    [hashtable]$FilterObject = Get-IcingaProviderFilterData -ProviderName 'Eventlog' -ProviderFilter $ProviderFilter;
+
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'List'      -Value $FilterObject.EventLog.Query.List;
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'Events'    -Value $FilterObject.EventLog.Query.Events;
+    $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FilterObject.EventLog.Query.HasEvents;
+
+    $FilterObject = $null;
+
+    return $EventlogData;
+}
--- a/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1
+++ b/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1
@ -0,0 +1,258 @@
+<#
+.ROLE
+    Query
+#>
+
+function New-IcingaProviderFilterDataEventlog()
+{
+    param(
+        [string]$LogName          = '',
+        [array]$IncludeEventId    = @(),
+        [array]$ExcludeEventId    = @(),
+        [array]$IncludeUsername   = @(),
+        [array]$ExcludeUsername   = @(),
+        [array]$IncludeEntryType  = @(),
+        [array]$ExcludeEntryType  = @(),
+        [array]$IncludeMessage    = @(),
+        [array]$ExcludeMessage    = @(),
+        [array]$IncludeSource     = @(),
+        [array]$ExcludeSource     = @(),
+        [string]$EventsAfter      = $null,
+        [string]$EventsBefore     = $null,
+        [int]$MaxEntries          = 40000,
+        [switch]$DisableTimeCache = $FALSE
+    );
+
+    [string]$EventLogFilter = '';
+    $EventIdFilter          = New-Object -TypeName 'System.Text.StringBuilder';
+    $EntryTypeFilter        = New-Object -TypeName 'System.Text.StringBuilder';
+    $SourceFilter           = New-Object -TypeName 'System.Text.StringBuilder';
+    $UserFilter             = New-Object -TypeName 'System.Text.StringBuilder';
+    $TimeFilter             = New-Object -TypeName 'System.Text.StringBuilder';
+    $EventAfterFilter       = $null;
+    $EventBeforeFilter      = $null;
+    $EventsAfter            = (Convert-IcingaPluginThresholds -Threshold $EventsAfter).Value;
+    $EventsBefore           = (Convert-IcingaPluginThresholds -Threshold $EventsBefore).Value;
+    [string]$CheckHash      = (Get-StringSha1 ($LogName + $IncludeEventId + $ExcludeEventId + $IncludeUsername + $ExcludeUsername + $IncludeEntryType + $ExcludeEntryType + $IncludeMessage + $ExcludeMessage)) + '.lastcheck';
+
+    if ([string]::IsNullOrEmpty($EventsAfter) -and $DisableTimeCache -eq $FALSE) {
+        $time = Get-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash;
+        Set-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash -Value ((Get-Date).ToFileTime());
+
+        if ($null -ne $time) {
+            $EventAfterFilter = ([datetime]::FromFileTime($time)).ToString("yyyy-MM-dd HH:mm:ss");
+        }
+    }
+
+    # In case we are not having cached time execution and not have not overwritten the timestamp, only fetch values from 2 hours in the past
+    if ([string]::IsNullOrEmpty($EventAfterFilter)) {
+        if ([string]::IsNullOrEmpty($EventsAfter)) {
+            [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromHours(2))).ToString("yyyy-MM-dd HH:mm:ss");
+        } else {
+            if ((Test-Numeric $EventsAfter)) {
+                [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsAfter))).ToString('yyyy\/MM\/dd HH:mm:ss');
+            } else {
+                [string]$EventAfterFilter = $EventsAfter;
+            }
+        }
+    }
+
+    if ([string]::IsNullOrEmpty($EventsBefore) -eq $FALSE) {
+        if ((Test-Numeric $EventsBefore)) {
+            [string]$EventBeforeFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsBefore))).ToString("yyyy-MM-dd HH:mm:ss");
+        } else {
+            [string]$EventBeforeFilter = $EventsBefore;
+        }
+    } else {
+        [string]$EventBeforeFilter = ([datetime]::FromFileTime(((Get-Date).ToFileTime()))).ToString("yyyy-MM-dd HH:mm:ss");
+    }
+
+    foreach ($entry in $IncludeEventId) {
+        if ($EventIdFilter.Length -ne 0) {
+            $EventIdFilter.Append(
+                ([string]::Format(' and EventID={0}', $entry))
+            ) | Out-Null;
+        } else {
+            $EventIdFilter.Append(
+                ([string]::Format('EventID={0}', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeEventId) {
+        if ($EventIdFilter.Length -ne 0) {
+            $EventIdFilter.Append(
+                ([string]::Format(' and EventID!={0}', $entry))
+            ) | Out-Null;
+        } else {
+            $EventIdFilter.Append(
+                ([string]::Format('EventID!={0}', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeEntryType) {
+        [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry];
+        if ($EntryTypeFilter.Length -ne 0) {
+            $EntryTypeFilter.Append(
+                ([string]::Format(' and Level={0}', $EntryId))
+            ) | Out-Null;
+        } else {
+            $EntryTypeFilter.Append(
+                ([string]::Format('Level={0}', $EntryId))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeEntryType) {
+        [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry];
+        if ($EntryTypeFilter.Length -ne 0) {
+            $EntryTypeFilter.Append(
+                ([string]::Format(' and Level!={0}', $EntryId))
+            ) | Out-Null;
+        } else {
+            $EntryTypeFilter.Append(
+                ([string]::Format('Level!={0}', $EntryId))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeSource) {
+        if ($SourceFilter.Length -ne 0) {
+            $SourceFilter.Append(
+                ([string]::Format(' and Provider[@Name="{0}"]', $entry))
+            ) | Out-Null;
+        } else {
+            $SourceFilter.Append(
+                ([string]::Format('Provider[@Name="{0}"]', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeSource) {
+        if ($SourceFilter.Length -ne 0) {
+            $SourceFilter.Append(
+                ([string]::Format(' and Provider[@Name!="{0}"]', $entry))
+            ) | Out-Null;
+        } else {
+            $SourceFilter.Append(
+                ([string]::Format('Provider[@Name!="{0}"]', $entry))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $IncludeUsername) {
+        [string]$UserSID = (Get-IcingaUserSID -User $entry);
+        if ($UserFilter.Length -ne 0) {
+            $UserFilter.Append(
+                ([string]::Format(' and Security[@UserID="{0}', $UserSID))
+            ) | Out-Null;
+        } else {
+            $UserFilter.Append(
+                ([string]::Format('Security[@UserID="{0}"]', $UserSID))
+            ) | Out-Null;
+        }
+    }
+
+    foreach ($entry in $ExcludeUsername) {
+        [string]$UserSID = (Get-IcingaUserSID -User $entry);
+        if ($UserFilter.Length -ne 0) {
+            $UserFilter.Append(
+                ([string]::Format(' and Security[@UserID!="{0}"]', $UserSID))
+            ) | Out-Null;
+        } else {
+            $UserFilter.Append(
+                ([string]::Format('Security[@UserID!="{0}"]', $UserSID))
+            ) | Out-Null;
+        }
+    }
+
+    $TimeFilter.Append(
+        ([string]::Format('TimeCreated[@SystemTime>="{0}"]', (Get-Date $EventAfterFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ")))
+    ) | Out-Null;
+
+    $TimeFilter.Append(
+        ([string]::Format(' and TimeCreated[@SystemTime<="{0}"]', (Get-Date $EventBeforeFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ")))
+    ) | Out-Null;
+
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EventIdFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EntryTypeFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $SourceFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $UserFilter;
+    [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $TimeFilter;
+
+    while ($EventLogFilter[0] -eq ' ') {
+        $EventLogFilter = $EventLogFilter.Substring(1, $EventLogFilter.Length - 1);
+    }
+
+    [string]$EventLogFilter = [string]::Format('Event[System[{0}]]', $EventLogFilter);
+
+    try {
+        $EventLogEntries = Get-WinEvent -LogName $LogName -MaxEvents $MaxEntries -FilterXPath $EventLogFilter -ErrorAction Stop;
+    } catch {
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'ParameterArgumentValidationError' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNegativeEntries;
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'CannotConvertArgumentNoMessage' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNoMessageEntries;
+        Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'NoMatchingLogsFound' -CustomMessage (-Join $LogName) -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogLogName;
+    }
+
+    $EventLogQueryData = New-Object PSCustomObject;
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'List'      -Value (New-Object PSCustomObject);
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'Events'    -Value (New-Object PSCustomObject);
+    $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FALSE;
+
+    foreach ($event in $EventLogEntries) {
+        # Filter out remaining message not matching our filter
+        if ((Test-IcingaArrayFilter -InputObject $event.Message -Include $IncludeMessage -Exclude $ExcludeMessage) -eq $FALSE) {
+            continue;
+        }
+
+        $EventLogQueryData.HasEvents = $TRUE;
+
+        [string]$EventIdentifier = [string]::Format('{0}-{1}',
+            $event.Id,
+            $event.ProviderName
+        );
+
+        [string]$EventHash = Get-StringSha1 $EventIdentifier;
+
+        if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.List -Name $EventHash) -eq $FALSE) {
+            [string]$EventMessage = [string]($event.Message);
+            if ([string]::IsNullOrEmpty($EventMessage)) {
+                $EventMessage = '';
+            }
+
+            $EventLogQueryData.List            | Add-Member -MemberType NoteProperty -Name $EventHash    -Value (New-Object PSCustomObject);
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'NewestEntry' -Value ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'OldestEntry' -Value ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'EventId'     -Value ([string]($event.Id));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Message'     -Value $EventMessage;
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Severity'    -Value $ProviderEnums.EventLogSeverityName[$event.Level];
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Source'      -Value ([string]($event.ProviderName));
+            $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Count'       -Value 1;
+
+        } else {
+            $EventLogQueryData.List.$EventHash.OldestEntry  = ([string]($event.TimeCreated));
+            $EventLogQueryData.List.$EventHash.Count       += 1;
+        }
+
+        if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.Events -Name $event.Id) -eq $FALSE) {
+            $EventLogQueryData.Events | Add-Member -MemberType NoteProperty -Name $event.Id -Value 1;
+        } else {
+            $EventLogQueryData.Events.($event.Id) += 1;
+        }
+    }
+
+    if ($null -ne $EventLogEntries) {
+        $EventLogEntries.Dispose();
+    }
+
+    $EventLogEntries = $null;
+    $EventLogFilter  = $null;
+    $EventIdFilter   = $null;
+    $EntryTypeFilter = $null;
+    $SourceFilter    = $null;
+    $UserFilter      = $null;
+    $TimeFilter      = $null;
+
+    return $EventLogQueryData;
+}