Skip to content

Add windows event regex filtering to CWAgent #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Jul 23, 2025
Merged

Add windows event regex filtering to CWAgent #1764

merged 17 commits into from
Jul 23, 2025

Conversation

Paamicky
Copy link
Collaborator

@Paamicky Paamicky commented Jul 9, 2025
edited
Loading

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to collect specific and relevant logs to CloudWatch

Description of changes

  • Add regex filtering to the CWAgent Windows logs collection
  • Add rule for filtering validation
  • Add new files for testing purposes

sample configuration of regex filtering

"logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "Application",
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents",
            "filters": [
              {
                "type": "include",
                "expression": "Database.*failed|Authentication.*|login.*"
              }
            ]
          },
          {
            "event_name": "Application", 
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents2",
            "filters": [
              {
                "type": "include",
                "expression": ".*user.*"
              },
              {
                "type": "exclude",
                "expression": ".*failed.*"
              }
            ]
          }
      }
    }
}

Caution

This PR has a testing PR linked to here:aws/amazon-cloudwatch-agent-test#555, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

  • Added unit tests for regex validation and processing
  • Manually tested on Windows servers to verify events are properly filtered by regex
  • Verified backward compatibility with existing configurations.

Integration test showing Regex filtering passed for all Windows OS Regex Filtering

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky requested review from lisguo, dricross and okankoAMZ July 9, 2025 20:27
@Paamicky Paamicky changed the title Add windows event regex filtering Add windows event regex filtering to CWAgent Jul 9, 2025
dricross
dricross reviewed Jul 10, 2025
View reviewed changes
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 17f2d7f to a198283 Compare July 10, 2025 18:36
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from a5f4df9 to f7337c8 Compare July 11, 2025 16:54
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 5c8f615 to 10f9f0a Compare July 11, 2025 18:28
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from f7337c8 to 1fd0ae9 Compare July 11, 2025 19:01
@okankoAMZ okankoAMZ marked this pull request as ready for review July 11, 2025 19:02
@okankoAMZ okankoAMZ requested a review from a team as a code owner July 11, 2025 19:02
@okankoAMZ okankoAMZ added the ready for testing Indicates this PR is ready for integration tests to run label Jul 11, 2025
lisguo
lisguo reviewed Jul 14, 2025
View reviewed changes
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 1927170 to 0783b84 Compare July 15, 2025 15:45
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 0783b84 to 94fcd20 Compare July 15, 2025 16:05
Base automatically changed from feature/windows-eventId-filtering to main July 21, 2025 18:29
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 27765e3 to 615200a Compare July 21, 2025 22:11
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 615200a to 9fb255f Compare July 22, 2025 16:18
okankoAMZ
okankoAMZ approved these changes Jul 23, 2025
View reviewed changes
.github/workflows/test-artifacts.yml
terraform destroy -auto-approve
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unnecessary change

@Paamicky Paamicky merged commit 92115e8 into main Jul 23, 2025
213 of 224 checks passed
@Paamicky Paamicky deleted the feature/windows-regex-filtering branch July 23, 2025 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lisguo lisguo lisguo left review comments

@dricross dricross dricross approved these changes

@okankoAMZ okankoAMZ okankoAMZ approved these changes

Assignees
No one assigned
Labels
ready for testing Indicates this PR is ready for integration tests to run
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Paamicky @lisguo @dricross @okankoAMZ