Open JonathanWamsley opened 1 month ago
Pinging code owners:
receiver/windowseventlog: @djaglowski @armstrmi @pjanotti
See Adding Labels via Comments if you do not have permissions to add labels yourself.
I like that the config would only change by the addition of an optional section that implicitly indicates whether remote collection is intended, and that the outputs would be the same.
My biggest concern is with the dependency. Neither the repo or author have any public history. The repo implements a protocol which would allow the collector to make remote procedure calls to external systems. The complexity of the protocol (or at least the implementation) appear very high. All of this makes me question whether we can establish confidence that it does not introduce a security vulnerability. That said, I don't know anything about the protocol it implements so maybe someone else with a more informed opinion would be able to confidently evaluate the risk. (cc @pjanotti in case you want to look into this)
I'm curious whether it'd be easier or not to just use EvtOpenSession
and just pass the returned handle into the relevant functions (e.g. as the first param in evtSubscribe).
Are there advantages to using the library over using the existing logic with a session handle from EvtOpenSession
?
(was about to hit enter @BinaryFissionGames :) saying the same)
The Event API already handles remote operations, see EvtOpenSession and EVT_RPC_LOGIN. So no need to add a new dependency.
The first question that pops on my mind is how much is this user friendly without some kind of automatic way to discover the remote servers. Is it reasonable to to start with a list that requires knowing all targeted servers before hand?
We should also think about the configuration carefully: a single set of credentials for a list of servers seems reasonable, and then multiple of such groups.
Removing needs triage
as code owners have responded and have a general path forward here.
Hey @pjanotti sorry for the delay, I have updated the issue based on feedback. I think starting with a list of targeted servers will work. The way I have it implemented allows for a single set of credentials for a list of servers and or multiple servers with multiple credentials in groups too. I used the EvtOpenSession and EVT_RPC_LOGIN as @BinaryFissionGames and you suggested and got it working 😁.
Component(s)
receiver/windowseventlog
Is your feature request related to a problem? Please describe.
I'm proposing to enhance the existing
windowseventlogreceiver
to support remote collection of Windows event logs using the Windows APIsEvtOpenSession
. This feature will allow the OpenTelemetry Collector to gather event logs from remote Windows machines without needing to be installed on the host machine. This capability is especially useful in environments where direct installation on the host is not feasible.Describe the solution you'd like
As BinaryFissionGames and pjanotti mentioned, Using
EvtOpenSession
can be used to enable remote event log collection. This enhancement will include:EvtOpenSession
to subscribe and collect Windows Event Logs.remote_sever
feild on remote collection onlySingle server configuration:
Multiple servers with single credentials configuration:
Multiple servers with multiple credentials configuration:
Describe alternatives you've considered
Additional context