Skip to content

Commit

Permalink
[winlogbeat] Fix how we check for dynamic values in message templates (
Browse files Browse the repository at this point in the history
…#41730) (#41745)

* Fix how we check for dynamic values in message templates

* Fix test

* Remove dokan1 test

(cherry picked from commit 61df1f2)

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
  • Loading branch information
mergify[bot] and marc-gr authored Nov 22, 2024
1 parent ddf9050 commit 3cd5905
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 5 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]

*Winlogbeat*

- Fix message handling in the experimental api. {issue}19338[19338] {pull}41730[41730]


*Elastic Logging Plugin*

Expand Down
24 changes: 19 additions & 5 deletions winlogbeat/sys/wineventlog/metadata_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"strings"
"sync"
"text/template"
"text/template/parse"

"go.uber.org/multierr"

Expand Down Expand Up @@ -420,16 +421,29 @@ func (em *EventMetadata) setMessage(msg string) error {
return fmt.Errorf("failed to parse message template for event ID %v (template='%v'): %w", em.EventID, msg, err)
}

// One node means there were no parameters so this will optimize that case
// by using a static string rather than a text/template.
if len(tmpl.Root.Nodes) == 1 {
em.MsgStatic = msg
} else {
// If there is no dynamic content in the template then we can use a static message.
if containsTemplatedValues(tmpl) {
em.MsgTemplate = tmpl
} else {
em.MsgStatic = msg
}
return nil
}

// containsTemplatedValues traverses the template nodes to check if there are
// any dynamic values.
func containsTemplatedValues(tmpl *template.Template) bool {
// Walk through the parsed nodes and look for actionable template nodes
for _, node := range tmpl.Tree.Root.Nodes {
switch node.(type) {
case *parse.ActionNode, *parse.CommandNode,
*parse.IfNode, *parse.RangeNode, *parse.WithNode:
return true
}
}
return false
}

func (em *EventMetadata) equal(other *EventMetadata) bool {
if em == other {
return true
Expand Down

0 comments on commit 3cd5905

Please sign in to comment.