Skip to content

Agent Health Metric for Windows Events Filtering #1787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: feature/windows-regex-filtering
Choose a base branch
from
Open

Agent Health Metric for Windows Events Filtering #1787

wants to merge 1 commit into from

Conversation

Paamicky
Copy link
Collaborator

Description of the issue

Currently, there is no way to know the number of customers using the windows event filtering in the Agent's configuration. This PR address this issue by adding the feature as part of the user-agent string for detection during API calls to CloudWatch.

Description of changes

  • Detection logic for when a particular filter is used in the agent json configuration file.
  • Filter flag is added to the user-agent input string and recorded during API calls to CloudWatch.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

Filter flags been added to the user-agent input string.

POST / HTTP/1.1
Host: logs.us-east-2.amazonaws.com
User-Agent: CWAgent/1.300056.1-7-g037fe7f6-untracked (go1.24.4; windows; amd64) ID/ad6e9ec7-f161-494a-87ba-b546b420dadd inputs:(nop run_as_user windows_event_filters windows_event_ids windows_event_levels windows_event_log) outputs:(cloudwatchlogs nop) aws-sdk-go/1.48.6 (go1.24.4; windows; amd64) exec-env/EC2
Content-Length: 251
Authorization: AWS4-HMAC-SHA256 Credential=ASIAS3VO6ZR4K5ECXB6Q/20250721/us-east-2/logs/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-agent-stats;x-amz-date;x-amz-security-token;x-amz-target, Signature=eadcd0c0c03140c8083dc4089b4abe41090bc11fd29a120b212fc222dd3438de
Content-Encoding: gzip
Content-Type: application/x-amz-json-1.1
X-Amz-Agent-Stats: "cpu":17.8,"mem":61575168,"th":15,"ric":0,"rt":"EC2M","m":"EC2"
X-Amz-Date: 20250721T135521Z
X-Amz-Target: Logs_20140328.PutLogEvents
Accept-Encoding: gzip�

Dashboard showing usage of filters: Team Dashboard

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 615200a to 9fb255f Compare July 22, 2025 16:18
okankoAMZ
okankoAMZ reviewed Jul 22, 2025
View reviewed changes
extension/agenthealth/handler/useragent/useragent.go
@@ -34,6 +35,9 @@ const (
flagSELinux = "selinux"
flagROSA = "rosa"
separator = " "
flagWindowsEventIDs = "windows_event_ids"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you move this under flagROSA?

	flagSELinux                   = "selinux"
	flagROSA                      = "rosa"
	flagWindowsEventIDs           = "windows_event_ids"
	flagWindowsEventFilters       = "windows_event_filters"
	flagWindowsEventLevels        = "windows_event_levels"
	separator                     = " "

extension/agenthealth/handler/useragent/useragent.go
@@ -6,6 +6,7 @@ package useragent
import (
"fmt"
"os"
"reflect"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like reflect is used for type validation below

extension/agenthealth/handler/useragent/useragent.go
@@ -74,6 +78,35 @@ var _ UserAgent = (*userAgent)(nil)
func (ua *userAgent) SetComponents(otelCfg *otelcol.Config, telegrafCfg *telegraf.Config) {
for _, input := range telegrafCfg.Inputs {
ua.inputs.Add(input.Config.Name)

if input.Config.Name == "windows_event_log" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we not nest this?

@okankoAMZ okankoAMZ marked this pull request as ready for review July 22, 2025 21:09
@okankoAMZ okankoAMZ requested a review from a team as a code owner July 22, 2025 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TravisStark TravisStark TravisStark left review comments

@okankoAMZ okankoAMZ okankoAMZ left review comments

@dricross dricross Awaiting requested review from dricross

@sky333999 sky333999 Awaiting requested review from sky333999

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Paamicky @TravisStark @okankoAMZ