fix: in "agent child" mode log should go to C:\ProgramData\logs

logdna · Feb 7, 2023 · cfe3204 · cfe3204
1 parent 17ab23e
commit cfe3204
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 15 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "winevt-tailer"
-version = "0.3.3"
+version = "0.3.4"
 description = 'Windows Event Log Tailer'
 authors = ["Dmitri Khokhlov <dkhokhlov@gmail.com>"]
 maintainers = ["Dmitri Khokhlov <dkhokhlov@gmail.com>"]

diff --git a/winevt_tailer/consts.py b/winevt_tailer/consts.py
@@ -25,6 +25,19 @@
 bookmarks_dir: "''' + DEFAULT_DATA_DIR + '''"
 '''
 
+DEFAULT_CONFIG_FOR_AGENT = '''\
+channels:
+   - name: Application
+     query: "*"
+   - name: System
+     query: "*"
+transforms:
+    - winevt_tailer.transforms.xml_remove_binary
+    - winevt_tailer.transforms.xml_render_message
+    - winevt_tailer.transforms.xml_to_json
+bookmarks_dir: "''' + DEFAULT_DATA_DIR + '''"
+'''
+
 DEFAULT_CONFIG_FOR_CONSOLE = '''\
 channels:
    - name: Application
@@ -50,7 +63,6 @@
 handlers:
   file_tail:  # tail output, message only
     class: winevt_tailer.utils.RotatingFileHandler
-    formatter: msg_only
     filename: "''' + DEFAULT_LOG_DIR + '''/windows_{0}.log"
     level: INFO
     formatter: msg_only
@@ -59,7 +71,6 @@
     encoding: utf8
   file_svc:  # Service log
     class: winevt_tailer.utils.RotatingFileHandler
-    formatter: msg_only
     filename: "''' + DEFAULT_LOG_DIR + '''/''' + TAILER_TYPE + '''_{0}.log"
     level: INFO
     formatter: simple
@@ -75,6 +86,37 @@
   handlers: [file_svc]
 '''
 
+DEFAULT_LOGGING_FOR_AGENT = '''\
+version: 1
+disable_existing_loggers: true
+formatters:
+  simple:
+    format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+  msg_only:
+    format: '%(message)s'
+handlers:
+  stdout: # tail output
+    class: logging.StreamHandler
+    level: INFO
+    formatter: msg_only
+    stream: ext://sys.stdout
+  file_svc:  # Service log
+    class: winevt_tailer.utils.RotatingFileHandler
+    filename: "''' + DEFAULT_LOG_DIR + '''/''' + TAILER_TYPE + '''_{0}.log"
+    level: INFO
+    formatter: simple
+    maxBytes: 10000000
+    backupCount: 1
+    encoding: utf8
+loggers:
+  tail_out:
+      level: INFO
+      handlers: [stdout]
+root: # all log
+  level: INFO
+  handlers: [file_svc]
+'''
+
 DEFAULT_LOGGING_FOR_CONSOLE = '''\
 version: 1
 disable_existing_loggers: true

diff --git a/winevt_tailer/main.py b/winevt_tailer/main.py
@@ -17,8 +17,8 @@ def main(argv: dict = None) -> int:
     assert args.name
     tailer_name = args.name
     tailer_service_name = f'{consts.TAILER_TYPE}_{tailer_name}'
-    is_agent_child = utils.is_agent_child()  # started by agent
-    is_service = utils.is_service() and not is_agent_child
+    is_agent_child = True # utils.is_agent_child()  # started by agent
+    is_service = True # utils.is_service()
 
     # print windows event channels to stdout and exit
     if args.list:
@@ -28,7 +28,7 @@ def main(argv: dict = None) -> int:
         return 0
 
     # collect config from various sources
-    tailer_config_dict, logging_config_dict = opts.get_config(args, is_service)
+    tailer_config_dict, logging_config_dict = opts.get_config(args, is_service, is_agent_child)
 
     # cli args override other config sources
     if args.lookback is not None:
@@ -87,7 +87,7 @@ def main(argv: dict = None) -> int:
         log.info('Reset completed')
         return 0
 
-    if is_service:
+    if is_service and not is_agent_child:
         # service mode
         # log effective config
         yaml_str = utils.compose_effective_config(tailer_name, tailer_config_dict, logging_config_dict)

diff --git a/winevt_tailer/opts.py b/winevt_tailer/opts.py
@@ -118,7 +118,7 @@ def parse_tailer_config(config_dict):
     return config
 
 
-def get_config(args: object, is_service: bool) -> (dict, dict):
+def get_config(args: object, is_service: bool, is_agent_child: bool) -> (dict, dict):
     """
     Collect tailer and logging configs from multiple sources (later overrides former):
     - default build-in
@@ -132,26 +132,28 @@ def get_config(args: object, is_service: bool) -> (dict, dict):
     Args:
         args: argparse output
         is_service: true if running as service
+        is_agent_child: true if running as agent child
     Returns:
         (dict,dict): returns tailer_config_dict, logging_config_dict
     """
-    if is_service:
+    if is_service and not is_agent_child:
         tailer_config_dict = yaml.safe_load(consts.DEFAULT_CONFIG_FOR_SERVICE.format(args.name))
         # service log and tail output go to different files in c:/ProgramData/logs
         logging_config_dict = yaml.safe_load(consts.DEFAULT_LOGGING_FOR_SERVICE.format(args.name))
+    elif is_agent_child:
+        tailer_config_dict = yaml.safe_load(consts.DEFAULT_CONFIG_FOR_AGENT.format(args.name))
+        # tailer log goes to c:/ProgramData/logs, while tail output goes to stdout
+        logging_config_dict = yaml.safe_load(consts.DEFAULT_LOGGING_FOR_AGENT.format(args.name))
     else:
         tailer_config_dict = yaml.safe_load(consts.DEFAULT_CONFIG_FOR_CONSOLE.format(args.name))
         # in cli mode log goes to stderr, while stdout is used for tail output only
         logging_config_dict = yaml.safe_load(consts.DEFAULT_LOGGING_FOR_CONSOLE.format(args.name))
-    # from file
+    # from config file
     if args.config_file:
         with args.config_file as f:
-            config_file_dict = yaml.safe_load(f)
-            config_tailers_dict = config_file_dict.get(consts.TAILER_TYPE)
-            if not config_tailers_dict:
-                raise errors.ConfigError(f'Missing "{consts.TAILER_TYPE}" section in config file: {f.name}')
+            config_tailers_dict = yaml.safe_load(f).get(consts.TAILER_TYPE, {})
             tailer_config_dict.update(config_tailers_dict.get(args.name, {}))
-            logging_config_dict.update(config_file_dict.get('logging', {}))
+            logging_config_dict.update(config_tailers_dict.get('logging', {}))
     # tailer config from env vars and args
     tailer_env = os.getenv('TAILER_CONFIG')
     tailer_env = os.getenv(f'TAILER_CONFIG_{args.name.upper()}', tailer_env)