From fcd2d527362e37cb3ae6a225f48356fb48cb52df Mon Sep 17 00:00:00 2001 From: Lord Hepipud Date: Wed, 14 Feb 2024 11:09:36 +0100 Subject: [PATCH] Adds new Eventlog data provider --- doc/100-General/10-Changelog.md | 1 + .../core/Get-IcingaProviderFilterData.psm1 | 24 ++ .../core/New-IcingaProviderFilterObject.psm1 | 39 +++ .../Add-IcingaProviderEventlogFilterData.psm1 | 28 ++ .../Get-IcingaProviderDataValuesEventlog.psm1 | 20 ++ .../New-IcingaProviderFilterDataEventlog.psm1 | 258 ++++++++++++++++++ 6 files changed, 370 insertions(+) create mode 100644 lib/provider/core/Get-IcingaProviderFilterData.psm1 create mode 100644 lib/provider/core/New-IcingaProviderFilterObject.psm1 create mode 100644 lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1 create mode 100644 lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1 create mode 100644 lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1 diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md index f93a7f2..ff79675 100644 --- a/doc/100-General/10-Changelog.md +++ b/doc/100-General/10-Changelog.md @@ -24,6 +24,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic * [#631](https://github.com/Icinga/icinga-powershell-framework/pull/631) Deduplicates `-C try { Use-Icinga ...` boilerplate by adding it to the `PowerShell Base` template and removing it from every single command * [#669](https://github.com/Icinga/icinga-powershell-framework/pull/669) Adds new metric to the CPU provider, allowing for distinguishing between the average total load as well as the sum of it * [#679](https://github.com/Icinga/icinga-powershell-framework/pull/679) Adds a new data provider for fetching process information of Windows systems, while sorting all objects based on a process name and their process id +* [#682](https://github.com/Icinga/icinga-powershell-framework/pull/682) Adds new data provider for fetching Eventlog information to increase performance and reduce memory impact * [#688](https://github.com/Icinga/icinga-powershell-framework/pull/688) Adds new handling to add scheduled tasks in Windows for interacting with Icinga for Windows core functionality as well as an auto renewal task for the Icinga for Windows certificate generation * [#690](https://github.com/Icinga/icinga-powershell-framework/pull/690) Adds automatic renewal of the `icingaforwindows.pfx` certificate for the REST-Api daemon in case the certificate is not yet present, valid or changed during the runtime of the daemon while also making the `icingaforwindows.pfx` mandatory for all installations, regardless of JEA being used or not * [#692](https://github.com/Icinga/icinga-powershell-framework/pull/692) Renames `Restart-IcingaWindowsService` to `Restart-IcingaForWindows` and adds alias for backwards compatibility to start unifying the Icinga for Windows cmdlets diff --git a/lib/provider/core/Get-IcingaProviderFilterData.psm1 b/lib/provider/core/Get-IcingaProviderFilterData.psm1 new file mode 100644 index 0000000..3739a93 --- /dev/null +++ b/lib/provider/core/Get-IcingaProviderFilterData.psm1 @@ -0,0 +1,24 @@ +function Get-IcingaProviderFilterData() +{ + param ( + [string]$ProviderName = '', + [hashtable]$ProviderFilter = @() + ); + + [hashtable]$FilterResult = @{ }; + + foreach ($filterObject in $ProviderFilter.Keys) { + if ($filterObject.ToLower() -ne $ProviderName.ToLower()) { + continue; + } + + if ($FilterResult.ContainsKey($filterObject) -eq $FALSE) { + $FilterResult.Add( + $filterObject, + (New-IcingaProviderFilterObject -ProviderName $ProviderName -HashtableFilter $ProviderFilter[$filterObject]) + ); + } + } + + return $FilterResult; +} diff --git a/lib/provider/core/New-IcingaProviderFilterObject.psm1 b/lib/provider/core/New-IcingaProviderFilterObject.psm1 new file mode 100644 index 0000000..b2e9161 --- /dev/null +++ b/lib/provider/core/New-IcingaProviderFilterObject.psm1 @@ -0,0 +1,39 @@ +function New-IcingaProviderFilterObject() +{ + param ( + [string]$ProviderName = '', + [hashtable]$HashtableFilter = @{ } + ); + + if ([string]::IsNullOrEmpty($ProviderName)) { + return @{ }; + } + + [array]$ProviderFilterCmdlet = Get-Command ([string]::Format('New-IcingaProviderFilterData{0}', $ProviderName)) -ErrorAction SilentlyContinue; + + if ($null -eq $ProviderFilterCmdlet -Or $ProviderFilterCmdlet.Count -eq 0) { + return @{ }; + } + + if ((Test-IcingaForWindowsCmdletLoader -Path $ProviderFilterCmdlet[0].Module.ModuleBase) -eq $FALSE) { + return @{ }; + } + + $FilterResult = & $ProviderFilterCmdlet[0].Name @HashtableFilter; + + [string]$ObjectName = $ProviderName; + $CmdHelp = Get-Help ($ProviderFilterCmdlet[0].Name) -ErrorAction SilentlyContinue; + + if ($null -ne $CmdHelp) { + if ([string]::IsNullOrEmpty($CmdHelp.Role) -eq $FALSE) { + [string]$ObjectName = [string]($CmdHelp.Role); + } + } + + $CmdHelp = $null; + $ProviderFilterCmdlet = $null; + + return @{ + $ObjectName = $FilterResult; + }; +} diff --git a/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1 b/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1 new file mode 100644 index 0000000..70be540 --- /dev/null +++ b/lib/provider/logging/Add-IcingaProviderEventlogFilterData.psm1 @@ -0,0 +1,28 @@ +function Add-IcingaProviderEventlogFilterData() +{ + param( + [string]$EventFilter = '', + $StringBuilderObject = $null + ); + + if ($null -eq $StringBuilderObject -Or $StringBuilderObject.Length -eq 0) { + return $EventFilter; + } + + [string]$NewStringEntry = $StringBuilderObject.ToString(); + + $StringBuilderObject.Clear(); + $StringBuilderObject = $null; + + if ([string]::IsNullOrEmpty($NewStringEntry)) { + return $EventFilter; + } + + if ([string]::IsNullOrEmpty($EventFilter)) { + return $NewStringEntry; + } + + [string]$EventFilter = [string]::Format('{0} and {1}', $EventFilter, $NewStringEntry); + + return $EventFilter; +} diff --git a/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1 b/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1 new file mode 100644 index 0000000..50289c9 --- /dev/null +++ b/lib/provider/logging/Get-IcingaProviderDataValuesEventlog.psm1 @@ -0,0 +1,20 @@ +function Get-IcingaProviderDataValuesEventlog() +{ + param ( + [array]$IncludeFilter = @(), + [array]$ExcludeFilter = @(), + [hashtable]$ProviderFilter = @(), + [switch]$IncludeDetails = $FALSE + ); + + $EventlogData = New-IcingaProviderObject -Name 'Eventlog'; + [hashtable]$FilterObject = Get-IcingaProviderFilterData -ProviderName 'Eventlog' -ProviderFilter $ProviderFilter; + + $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'List' -Value $FilterObject.EventLog.Query.List; + $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'Events' -Value $FilterObject.EventLog.Query.Events; + $EventLogData.Metrics | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FilterObject.EventLog.Query.HasEvents; + + $FilterObject = $null; + + return $EventlogData; +} diff --git a/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1 b/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1 new file mode 100644 index 0000000..f4b5d60 --- /dev/null +++ b/lib/provider/logging/New-IcingaProviderFilterDataEventlog.psm1 @@ -0,0 +1,258 @@ +<# +.ROLE + Query +#> + +function New-IcingaProviderFilterDataEventlog() +{ + param( + [string]$LogName = '', + [array]$IncludeEventId = @(), + [array]$ExcludeEventId = @(), + [array]$IncludeUsername = @(), + [array]$ExcludeUsername = @(), + [array]$IncludeEntryType = @(), + [array]$ExcludeEntryType = @(), + [array]$IncludeMessage = @(), + [array]$ExcludeMessage = @(), + [array]$IncludeSource = @(), + [array]$ExcludeSource = @(), + [string]$EventsAfter = $null, + [string]$EventsBefore = $null, + [int]$MaxEntries = 40000, + [switch]$DisableTimeCache = $FALSE + ); + + [string]$EventLogFilter = ''; + $EventIdFilter = New-Object -TypeName 'System.Text.StringBuilder'; + $EntryTypeFilter = New-Object -TypeName 'System.Text.StringBuilder'; + $SourceFilter = New-Object -TypeName 'System.Text.StringBuilder'; + $UserFilter = New-Object -TypeName 'System.Text.StringBuilder'; + $TimeFilter = New-Object -TypeName 'System.Text.StringBuilder'; + $EventAfterFilter = $null; + $EventBeforeFilter = $null; + $EventsAfter = (Convert-IcingaPluginThresholds -Threshold $EventsAfter).Value; + $EventsBefore = (Convert-IcingaPluginThresholds -Threshold $EventsBefore).Value; + [string]$CheckHash = (Get-StringSha1 ($LogName + $IncludeEventId + $ExcludeEventId + $IncludeUsername + $ExcludeUsername + $IncludeEntryType + $ExcludeEntryType + $IncludeMessage + $ExcludeMessage)) + '.lastcheck'; + + if ([string]::IsNullOrEmpty($EventsAfter) -and $DisableTimeCache -eq $FALSE) { + $time = Get-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash; + Set-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash -Value ((Get-Date).ToFileTime()); + + if ($null -ne $time) { + $EventAfterFilter = ([datetime]::FromFileTime($time)).ToString("yyyy-MM-dd HH:mm:ss"); + } + } + + # In case we are not having cached time execution and not have not overwritten the timestamp, only fetch values from 2 hours in the past + if ([string]::IsNullOrEmpty($EventAfterFilter)) { + if ([string]::IsNullOrEmpty($EventsAfter)) { + [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromHours(2))).ToString("yyyy-MM-dd HH:mm:ss"); + } else { + if ((Test-Numeric $EventsAfter)) { + [string]$EventAfterFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsAfter))).ToString('yyyy\/MM\/dd HH:mm:ss'); + } else { + [string]$EventAfterFilter = $EventsAfter; + } + } + } + + if ([string]::IsNullOrEmpty($EventsBefore) -eq $FALSE) { + if ((Test-Numeric $EventsBefore)) { + [string]$EventBeforeFilter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($EventsBefore))).ToString("yyyy-MM-dd HH:mm:ss"); + } else { + [string]$EventBeforeFilter = $EventsBefore; + } + } else { + [string]$EventBeforeFilter = ([datetime]::FromFileTime(((Get-Date).ToFileTime()))).ToString("yyyy-MM-dd HH:mm:ss"); + } + + foreach ($entry in $IncludeEventId) { + if ($EventIdFilter.Length -ne 0) { + $EventIdFilter.Append( + ([string]::Format(' and EventID={0}', $entry)) + ) | Out-Null; + } else { + $EventIdFilter.Append( + ([string]::Format('EventID={0}', $entry)) + ) | Out-Null; + } + } + + foreach ($entry in $ExcludeEventId) { + if ($EventIdFilter.Length -ne 0) { + $EventIdFilter.Append( + ([string]::Format(' and EventID!={0}', $entry)) + ) | Out-Null; + } else { + $EventIdFilter.Append( + ([string]::Format('EventID!={0}', $entry)) + ) | Out-Null; + } + } + + foreach ($entry in $IncludeEntryType) { + [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry]; + if ($EntryTypeFilter.Length -ne 0) { + $EntryTypeFilter.Append( + ([string]::Format(' and Level={0}', $EntryId)) + ) | Out-Null; + } else { + $EntryTypeFilter.Append( + ([string]::Format('Level={0}', $EntryId)) + ) | Out-Null; + } + } + + foreach ($entry in $ExcludeEntryType) { + [string]$EntryId = $ProviderEnums.EventLogSeverity[$entry]; + if ($EntryTypeFilter.Length -ne 0) { + $EntryTypeFilter.Append( + ([string]::Format(' and Level!={0}', $EntryId)) + ) | Out-Null; + } else { + $EntryTypeFilter.Append( + ([string]::Format('Level!={0}', $EntryId)) + ) | Out-Null; + } + } + + foreach ($entry in $IncludeSource) { + if ($SourceFilter.Length -ne 0) { + $SourceFilter.Append( + ([string]::Format(' and Provider[@Name="{0}"]', $entry)) + ) | Out-Null; + } else { + $SourceFilter.Append( + ([string]::Format('Provider[@Name="{0}"]', $entry)) + ) | Out-Null; + } + } + + foreach ($entry in $ExcludeSource) { + if ($SourceFilter.Length -ne 0) { + $SourceFilter.Append( + ([string]::Format(' and Provider[@Name!="{0}"]', $entry)) + ) | Out-Null; + } else { + $SourceFilter.Append( + ([string]::Format('Provider[@Name!="{0}"]', $entry)) + ) | Out-Null; + } + } + + foreach ($entry in $IncludeUsername) { + [string]$UserSID = (Get-IcingaUserSID -User $entry); + if ($UserFilter.Length -ne 0) { + $UserFilter.Append( + ([string]::Format(' and Security[@UserID="{0}', $UserSID)) + ) | Out-Null; + } else { + $UserFilter.Append( + ([string]::Format('Security[@UserID="{0}"]', $UserSID)) + ) | Out-Null; + } + } + + foreach ($entry in $ExcludeUsername) { + [string]$UserSID = (Get-IcingaUserSID -User $entry); + if ($UserFilter.Length -ne 0) { + $UserFilter.Append( + ([string]::Format(' and Security[@UserID!="{0}"]', $UserSID)) + ) | Out-Null; + } else { + $UserFilter.Append( + ([string]::Format('Security[@UserID!="{0}"]', $UserSID)) + ) | Out-Null; + } + } + + $TimeFilter.Append( + ([string]::Format('TimeCreated[@SystemTime>="{0}"]', (Get-Date $EventAfterFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ"))) + ) | Out-Null; + + $TimeFilter.Append( + ([string]::Format(' and TimeCreated[@SystemTime<="{0}"]', (Get-Date $EventBeforeFilter).ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ssZ"))) + ) | Out-Null; + + [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EventIdFilter; + [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $EntryTypeFilter; + [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $SourceFilter; + [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $UserFilter; + [string]$EventLogFilter = Add-IcingaProviderEventlogFilterData -EventFilter $EventLogFilter -StringBuilderObject $TimeFilter; + + while ($EventLogFilter[0] -eq ' ') { + $EventLogFilter = $EventLogFilter.Substring(1, $EventLogFilter.Length - 1); + } + + [string]$EventLogFilter = [string]::Format('Event[System[{0}]]', $EventLogFilter); + + try { + $EventLogEntries = Get-WinEvent -LogName $LogName -MaxEvents $MaxEntries -FilterXPath $EventLogFilter -ErrorAction Stop; + } catch { + Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'ParameterArgumentValidationError' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNegativeEntries; + Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'CannotConvertArgumentNoMessage' -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogNoMessageEntries; + Exit-IcingaThrowException -InputString $_.FullyQualifiedErrorId -StringPattern 'NoMatchingLogsFound' -CustomMessage (-Join $LogName) -ExceptionList $IcingaPluginExceptions -ExceptionType 'Input' -ExceptionThrown $IcingaPluginExceptions.Inputs.EventLogLogName; + } + + $EventLogQueryData = New-Object PSCustomObject; + $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'List' -Value (New-Object PSCustomObject); + $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'Events' -Value (New-Object PSCustomObject); + $EventLogQueryData | Add-Member -MemberType NoteProperty -Name 'HasEvents' -Value $FALSE; + + foreach ($event in $EventLogEntries) { + # Filter out remaining message not matching our filter + if ((Test-IcingaArrayFilter -InputObject $event.Message -Include $IncludeMessage -Exclude $ExcludeMessage) -eq $FALSE) { + continue; + } + + $EventLogQueryData.HasEvents = $TRUE; + + [string]$EventIdentifier = [string]::Format('{0}-{1}', + $event.Id, + $event.ProviderName + ); + + [string]$EventHash = Get-StringSha1 $EventIdentifier; + + if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.List -Name $EventHash) -eq $FALSE) { + [string]$EventMessage = [string]($event.Message); + if ([string]::IsNullOrEmpty($EventMessage)) { + $EventMessage = ''; + } + + $EventLogQueryData.List | Add-Member -MemberType NoteProperty -Name $EventHash -Value (New-Object PSCustomObject); + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'NewestEntry' -Value ([string]($event.TimeCreated)); + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'OldestEntry' -Value ([string]($event.TimeCreated)); + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'EventId' -Value ([string]($event.Id)); + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Message' -Value $EventMessage; + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Severity' -Value $ProviderEnums.EventLogSeverityName[$event.Level]; + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Source' -Value ([string]($event.ProviderName)); + $EventLogQueryData.List.$EventHash | Add-Member -MemberType NoteProperty -Name 'Count' -Value 1; + + } else { + $EventLogQueryData.List.$EventHash.OldestEntry = ([string]($event.TimeCreated)); + $EventLogQueryData.List.$EventHash.Count += 1; + } + + if ((Test-PSCustomObjectMember -PSObject $EventLogQueryData.Events -Name $event.Id) -eq $FALSE) { + $EventLogQueryData.Events | Add-Member -MemberType NoteProperty -Name $event.Id -Value 1; + } else { + $EventLogQueryData.Events.($event.Id) += 1; + } + } + + if ($null -ne $EventLogEntries) { + $EventLogEntries.Dispose(); + } + + $EventLogEntries = $null; + $EventLogFilter = $null; + $EventIdFilter = $null; + $EntryTypeFilter = $null; + $SourceFilter = $null; + $UserFilter = $null; + $TimeFilter = $null; + + return $EventLogQueryData; +}