Skip to content

Add windows event regex filtering to CWAgent #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Add windows event regex filtering to CWAgent #1764

wants to merge 17 commits into from

Conversation

Paamicky
Copy link
Collaborator

@Paamicky Paamicky commented Jul 9, 2025
edited
Loading

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to collect specific and relevant logs to CloudWatch

This PR is draft; waiting on the event_id feature PR to be merged first.

Description of changes

  • Add regex filtering to the CWAgent Windows logs collection
  • Add rule for filtering validation
  • Add new files for testing purposes

sample configuration of regex filtering

"logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "Application",
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents",
            "filters": [
              {
                "type": "include",
                "expression": "Database.*failed|Authentication.*|login.*"
              }
            ]
          },
          {
            "event_name": "Application", 
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents2",
            "filters": [
              {
                "type": "include",
                "expression": ".*user.*"
              },
              {
                "type": "exclude",
                "expression": ".*failed.*"
              }
            ]
          }
      }
    }
}

Caution

This PR has a testing PR linked to here:aws/amazon-cloudwatch-agent-test#555, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

  • Added unit tests for regex validation and processing
  • Manually tested on Windows servers to verify events are properly filtered by regex
  • Verified backward compatibility with existing configurations.

Integration test showing Regex filtering passed for all Windows OS Regex Filtering

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky requested review from lisguo, dricross and okankoAMZ July 9, 2025 20:27
@Paamicky Paamicky changed the title Add windows event regex filtering Add windows event regex filtering to CWAgent Jul 9, 2025
dricross
dricross reviewed Jul 10, 2025
View reviewed changes
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 17f2d7f to a198283 Compare July 10, 2025 18:36
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from a5f4df9 to f7337c8 Compare July 11, 2025 16:54
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 5c8f615 to 10f9f0a Compare July 11, 2025 18:28
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from f7337c8 to 1fd0ae9 Compare July 11, 2025 19:01
@okankoAMZ okankoAMZ marked this pull request as ready for review July 11, 2025 19:02
@okankoAMZ okankoAMZ requested a review from a team as a code owner July 11, 2025 19:02
@okankoAMZ okankoAMZ added the ready for testing Indicates this PR is ready for integration tests to run label Jul 11, 2025
lisguo
lisguo reviewed Jul 14, 2025
View reviewed changes
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 1927170 to 0783b84 Compare July 15, 2025 15:45
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 0783b84 to 94fcd20 Compare July 15, 2025 16:05
Base automatically changed from feature/windows-eventId-filtering to main July 21, 2025 18:29
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 27765e3 to 615200a Compare July 21, 2025 22:11
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 615200a to 9fb255f Compare July 22, 2025 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lisguo lisguo lisguo left review comments

@dricross dricross dricross left review comments

@okankoAMZ okankoAMZ Awaiting requested review from okankoAMZ

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
ready for testing Indicates this PR is ready for integration tests to run
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Paamicky @lisguo @dricross @okankoAMZ